Re: [keycloak-dev] application configuration idea
Can you not just remove the password from the config file completely - and pass the
password directly using the system property?
Another related thing, this only works for server-side applications/services - for
client-side applications the application credentials aren't available (if they are an
attacker can access them by simply downloading the application). To my understanding this
means we need to support the implicit flow for client-side applications?
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, 20 September, 2013 3:19:13 PM
Subject: [keycloak-dev] application configuration idea
This is what an application configuration file looks like:
{
"realm" : "demo",
"resource" : "product-portal",
"realm-public-key" : "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADC",
"auth-url" :
"http://localhost:8080/auth-server/rest/realms/demo/tokens/login",
"code-url" :
"http://localhost:8080/auth-server/rest/realms/demo/tokens/access/codes",
"ssl-not-required" : true,
"credentials" : {
"password" : "password"
}
}
Notice that the credentials are in clear text. Admins will dislike this
tremendously. What I propose is that you must obtain the application
configuration file from the admin console. The configuration file would
be encrypted using a hash of a password specific to the application.
THe config file would then look something like this:
{
"realm" : "demo",
"encryptedConfig" : "MIGMA0GCSqGS..."
}
Then, your server instance must be booted up via a system property or
environment variable, i.e.:
standalone.sh -Dkeycloak.myrealm.password=geheim
The keycloak plugin would then decrypt the application config file based
on this password.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev