Sure, but if you set "bearer-only" you can't currently use basic
authentication for your rest endpoint:
and basic is checked on line 61.
So if you have rest application and you want it to support basic+bearer
authentication for the rest endpoint, you actually can't use bearer-only
for such application and hence you need to enter redirect URI for it.
Even if you don't need it.
To address this, I would suggest minor change in RequestAuthenticator,
so if my application is bearer-only and I have this in my keycloak.json:
"bearer-only": true,
"enable-basic-auth" : true
then it will allow both bearer+basic authentication.
Second change to suggest would be to support "Direct grants only" switch
for applications too, not just for oauth clients.
Marek
On 16.1.2015 20:27, Bill Burke wrote:
If you set "bearer-only" you don't have to enter in a
redirect URI.
On 1/16/2015 12:49 PM, Marek Posolda wrote:
> On 15.1.2015 16:38, Stian Thorgersen wrote:
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke(a)redhat.com>
>>> To: keycloak-dev(a)lists.jboss.org
>>> Sent: Thursday, 15 January, 2015 4:18:55 PM
>>> Subject: Re: [keycloak-dev] Direct grant API enable/disable on
>>> per-app instead of realm
>>>
>>> I don't know...Once you have one public client that supports direct
>>> grants with a large enough scope, there's your attack vector.
>> Well, sure if you enable if for a public client with the full scope it
>> doesn't make much difference. But, currently you can't limit it at all
>> other than turning it off completely.
>>
>> Also, another thing is that currently we require a redirect-uri to be
>> registered for an app, but that shouldn't be required if an app only
>> uses the direct grant.
> +1, We allow to specify it for oauth client though, but oauth client
> doesn't have it's own roles. So usually if you have oauth client with
> "direct grants only" enabled, you need to give him some scopes to other
> existing application or realm roles, which makes it even less safe.
>
> Also similar case is for recently added Basic authentication support.
> When I have rest application, which should allow to authenticate my rest
> endpoints either with "bearer" or "basic" authentication, it
shouldn't
> be needed to have redirect-uri configured for this application.
> Currently it's needed.
>
> IMO we can easily fix it if we allow basic authentication for
> "bearer-only" applications too (as long as they have
"enable-basic-auth"
> in adapter config). My understanding of "Bearer only application" is
> kind of application, which can't request it's own access token, but just
> allow rest authentication. So I am not seeing issue with allowing basic
> auth for it.
>
> Marek
>>
>>>
>>> On 1/15/2015 7:00 AM, Stian Thorgersen wrote:
>>>> I propose we move the "Direct Grant API" enable/disable from
the
>>>> realm and
>>>> add it to applications/clients instead. This allows greater control
>>>> over
>>>> what is exposed using the direct grant api.
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev(a)lists.jboss.org
>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>>
http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>