Re: [keycloak-dev] why authenticate clients?
On 2.3.2014 23:24, Bill Burke wrote:
A good read:
http://tools.ietf.org/html/rfc6749#section-3.2.1
I was thinking about our current client-secret requirement. I don't
think there is any security hole if you are doing the OAuth protocol
over SSL, you are validating redirect_uris and the client sends its
"client_id" when obtaining an access token.
* Keycloak server ensures the access code is transmitted to a valid site
by verifying/validating the redirect_uri sent.
I am not sure if protection based on
redirect_uris could be considered
secure. For example if Keycloak has application with redirect_uri
"http://www.redhat.com/something" then nothing prevents me from adding
"www.redhat.com" into my /etc/hosts and run application on my machine
bind to "www.redhat.com", which will communicate with Keycloak. It seems
that Keycloak won't be able to recognize if request really comes from
valid "www.redhat.com" or from my fake host.
Marek
* Since you're using HTTPS, the browser ensures the site is valid
by
checking it's cert.
* If you send the "client_id" when obtaining the access token, the auth
server can verify that there was no access code substitution.
One of the uses described in 3.2.1 is that it is easier to reset a
client's credentials than invalidating all the refresh tokens sent to
it. I'm not so sure that is true. If there were a per-app/per-oauth
client Not-Before setting, we could check this on a refresh request.
Any counter arguments to these assumptions? I'm going to see if anybody
on the oauth email list will verify these assumptions.