Re: [keycloak-dev] application configuration idea
On 9/20/2013 10:29 AM, Stian Thorgersen wrote:
Can you not just remove the password from the config file completely
- and pass the password directly using the system property?
Config might also include:
* TOTP Key
* Key pair and cert for two-way SSL.
Another related thing, this only works for server-side
applications/services - for client-side applications the application credentials
aren't available (if they are an attacker can access them by simply downloading the
application). To my understanding this means we need to support the implicit flow for
client-side applications?
Depends how the mobile native app wants to do authentication.
Application credentials help prevent spoofing attacks. i.e. making the
user think they are logging into Bank of America or something when
you're really logging into the attacker's site. Auth server requires
client to authenticate before turning a access code into an access
token. Mobile is different because the relationship between user and
application is 1 to 1. I'm not sure what to do for native mobile apps.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com