4:01 a.m.
Ah, really?
I am curious why you have this requirement? Is it due the security? I
wonder that if request is signed with the private key of the client,
then it's not any difference regarding security if it's "request" or
"request_uri" . It can't happen that someone will be able to construct
request object and "put" it on specific URI due the fact that he won't
be able to sign it (unless he steal the client RSA key, but that would
be broken security anyway and he will be able to construct "request"
object the exactly same way).
Thanks,
Marek
On 09/03/18 10:32, Aron Bustya wrote:
Hi Marek,
Thans for the reply.
In the meantime I found out that we must only accept a request object
entered directly, and not a request_uri (my first implementation
handles the two together).
But I'm afraid this makes the configuration more complicated.
I can imagine it with 3 switches:
-Accept auth. request without request object
-Accept auth. request with request object included in request param
-Accept auth. request with request object referenced with request_uri
(All of them true by default.)
Or maybe with a dropdown "Accept auth. request":
-any (default)
-with request object included in request paramor referenced
withrequest_uri
-with request object included in request param
-withrequest object referenced withrequest_uri
Is this too much to add on the UI?
Do you have a better idea?
Thanks,
Áron
On 8 March 2018 at 17:23, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
On 08/03/18 15:25, Marek Posolda wrote:
Hi,
sorry to not respond earlier. Your usecase makes sense to me
and the code you did as well. One minor thing, which is
missing, is admin console update. I think you need to add new
switch to the client details page. Please add it to same
section like "Advanced config" where are other things like
request object signature algorithm etc.
Forgot to mention, that it will be nice if you send PR once you do
it :)
Thanks,
Marek
Thanks,
Marek
On 06/03/18 20:13, Aron Bustya wrote:
Hello!
Can I get some reaction to this? (The community guidelines
say I need to
ask around before sending pull requests.)
Regards,
Áron Bustya
On 2 December 2017 at 04:44, Aron Bustya
<aron.bustya.js(a)gmail.com
<mailto:aron.bustya.js@gmail.com>> wrote:
Hi!
I have a use case where the server must accept
authorization requests only
when they contain a signed request object (should be
configurable per
client).
I have found a way to make the signing of the request
object mandatory by
specifying a 'request.object.signature.alg' attribute
on the client, but
this only applies if a request object exists in the
first place.
I would like to propose a pull request: It defines a
new client attribute
'request.object.required'. If this is set to 'true',
the client must send a
request object when initiating an authorization request.
Current code can be checked here:
https://github.com/abustya/
keycloak/commit/476912906a3ad0d290220a1f54abee073dba687a
What do you think?
Regards,
Áron Bustya
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
<mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
<https://lists.jboss.org/mailman/listinfo/keycloak-dev>