Re: [keycloak-dev] why authenticate clients?
That's at least one ;)
Confidential clients are always going to be more secure, but public clients are a
requirement so whatever we can do to make them more secure would be great. At some point
confidential clients needs to be exposed to a browser though, and that means they will
need some way of securing the public client. Even a http-only cookie is still vulnerable.
For example if there's an exploit in the browser, or the hacker gains read access to
the file-system, it would be relatively easy to extract the refresh token from the
cookie.
End of the day there's a few things that are outside of our control:
* Exploits in browsers
* Hackers that gain access to file-system
* Users that don't check the URL (and https certificate)
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Marek Posolda" <mposolda(a)redhat.com>, "Stian Thorgersen"
<stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Friday, 7 March, 2014 5:58:23 PM
Subject: Re: [keycloak-dev] why authenticate clients?
Okay, I think I've figured out why confidential clients are better.
Hacker could spoof the login page, obtain client credentials, in the
background have a script that performs the login flow. With a public
client, the hacker would be able to get the access token as there is no
protection. With a confidential client, the hacker would not have the
client credentials and would not be able to turn a code into a token.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com