----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 15 January, 2015 4:18:55 PM
Subject: Re: [keycloak-dev] Direct grant API enable/disable on per-app instead of realm
I don't know...Once you have one public client that supports direct
grants with a large enough scope, there's your attack vector.
Well, sure if you enable if for a public client with the full scope it doesn't make
much difference. But, currently you can't limit it at all other than turning it off
completely.
Also, another thing is that currently we require a redirect-uri to be registered for an
app, but that shouldn't be required if an app only uses the direct grant.
On 1/15/2015 7:00 AM, Stian Thorgersen wrote:
> I propose we move the "Direct Grant API" enable/disable from the realm
and
> add it to applications/clients instead. This allows greater control over
> what is exposed using the direct grant api.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev