Re: [keycloak-dev] Zero-knowledge proof of password?
I did a bit of looking for a non-interactive version of OTP, and I managed
to find this:
http://www.a100websolutions.in/otp-using-php-one-time-passwords/
I don't know if this answers your question, but I found it an interesting
read anyway!
Hope this helps!
On Tue, Mar 7, 2017 at 8:31 PM, Mark True <mtrue(a)redhat.com> wrote:
I think the closest people have come to what you describe are things
like
FreeOTP or the RSA Firewall fobs. These provide one way passwords that
are based on "what you know" and do not require of transmitting a permanent
password over cleartext.
Hope this helps!
On Tue, Mar 7, 2017 at 6:05 PM, Bill Burke <bburke(a)redhat.com> wrote:
> What does that even mean? Keycloak's SSL mode can forbid non SSL
> connections. FYI, OIDC requires SSL.
>
>
> On 3/7/17 4:22 PM, Peter K. Boucher wrote:
> > Suppose you don't want your passwords transmitted in the clear after
> SSL is
> > terminated by a proxy.
> >
> >
> >
> > Has anyone developed a secure way for the client to prove they have the
> > password, rather than transmitting it in the body of a post?
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>