Re: [keycloak-dev] application configuration idea

From: "Stian Thorgersen" <stian(a)redhat.com&gt; To: "Bill Burke" <bburke(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Friday, 20 September, 2013 4:04:36 PM Subject: Re: [keycloak-dev] application configuration idea ----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Friday, 20 September, 2013 3:48:05 PM > Subject: Re: [keycloak-dev] application configuration idea > > > > On 9/20/2013 10:29 AM, Stian Thorgersen wrote: > > Can you not just remove the password from the config file completely - > > and > > pass the password directly using the system property? > > > > Config might also include: > > * TOTP Key > * Key pair and cert for two-way SSL. Forgot that - with that in mind then encryption + password is a good approach - would be good if it could be enabled/disabled for a realm though > > > > Another related thing, this only works for server-side > > applications/services - for client-side applications the application > > credentials aren't available (if they are an attacker can access them by > > simply downloading the application). To my understanding this means we > > need to support the implicit flow for client-side applications? > > > > Depends how the mobile native app wants to do authentication. > Application credentials help prevent spoofing attacks. i.e. making the > user think they are logging into Bank of America or something when > you're really logging into the attacker's site. Auth server requires > client to authenticate before turning a access code into an access > token. Mobile is different because the relationship between user and > application is 1 to 1. I'm not sure what to do for native mobile apps. I guess if application doesn't have access to anything that's not public it's there's no security implications of the key/secrets to it being leaked. So with that in mind you could still use the full flow for both html5 and mobile (and any other client-side stuff, consoles, desktop apps, etc..) > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev