12:46 a.m.
Currently a bearer-only client can't have a service account and that seems
like a mistake. Further this prevents bearer-only clients to use the
authorization services.
Is there any good reasons why bearer-only clients can't have service
accounts and be able to obtain token using the client credential grant?
The only thing a bearer-only client should be prevented to do IMO is
authenticate users (authorization code flow and resource owner credential
grant).
8:56 a.m.
+1. Besides, there is a very clear if statement on the token endpoint that blocks any
attempt from bearer-only clients to obtain tokens.
On 1/4/2017 3:47:48 AM, Stian Thorgersen <sthorger(a)redhat.com> wrote:
Currently a bearer-only client can't have a service account and that seems
like a mistake. Further this prevents bearer-only clients to use the
authorization services.
Is there any good reasons why bearer-only clients can't have service
accounts and be able to obtain token using the client credential grant?
The only thing a bearer-only client should be prevented to do IMO is
authenticate users (authorization code flow and resource owner credential
grant).
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:23 a.m.
On 4 January 2017 at 14:56, Pedro Igor <psilva(a)redhat.com> wrote:
+1. Besides, there is a very clear if statement on the token endpoint
that
blocks any attempt from bearer-only clients to obtain tokens.
FIY that if statement was added before we did service accounts / client
credential grants
On 1/4/2017 3:47:48 AM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
Currently a bearer-only client can't have a service account and that seems
like a mistake. Further this prevents bearer-only clients to use the
authorization services.
Is there any good reasons why bearer-only clients can't have service
accounts and be able to obtain token using the client credential grant?
The only thing a bearer-only client should be prevented to do IMO is
authenticate users (authorization code flow and resource owner credential
grant).
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
11:49 a.m.
Yeah, it was there since day 0 if you look git history.
On 1/4/2017 12:23:42 PM, Stian Thorgersen <sthorger(a)redhat.com> wrote:
On 4 January 2017 at 14:56, Pedro Igor <psilva(a)redhat.com
[mailto:psilva@redhat.com]> wrote:
+1. Besides, there is a very clear if statement on the token endpoint that blocks any
attempt from bearer-only clients to obtain tokens.
FIY that if statement was added before we did service accounts / client credential grants
On 1/4/2017 3:47:48 AM, Stian Thorgersen <sthorger(a)redhat.com
[mailto:sthorger@redhat.com]> wrote:
Currently a bearer-only client can't have a service account and that seems
like a mistake. Further this prevents bearer-only clients to use the
authorization services.
Is there any good reasons why bearer-only clients can't have service
accounts and be able to obtain token using the client credential grant?
The only thing a bearer-only client should be prevented to do IMO is
authenticate users (authorization code flow and resource owner credential
grant).
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org [mailto:keycloak-dev@lists.jboss.org]
https://lists.jboss.org/mailman/listinfo/keycloak-dev
[https://lists.jboss.org/mailman/listinfo/keycloak-dev]
2:36 a.m.
Added https://issues.jboss.org/browse/KEYCLOAK-4156
On 4 January 2017 at 17:49, Pedro Igor <psilva(a)redhat.com> wrote:
Yeah, it was there since day 0 if you look git history.
On 1/4/2017 12:23:42 PM, Stian Thorgersen <sthorger(a)redhat.com> wrote:
On 4 January 2017 at 14:56, Pedro Igor <psilva(a)redhat.com> wrote:
> +1. Besides, there is a very clear if statement on the token endpoint
> that blocks any attempt from bearer-only clients to obtain tokens.
>
FIY that if statement was added before we did service accounts / client
credential grants
> On 1/4/2017 3:47:48 AM, Stian Thorgersen <sthorger(a)redhat.com> wrote:
> Currently a bearer-only client can't have a service account and that
> seems
> like a mistake. Further this prevents bearer-only clients to use the
> authorization services.
>
> Is there any good reasons why bearer-only clients can't have service
> accounts and be able to obtain token using the client credential grant?
>
> The only thing a bearer-only client should be prevented to do IMO is
> authenticate users (authorization code flow and resource owner credential
> grant).
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
10:05 a.m.
On 04/01/17 06:46, Stian Thorgersen wrote:
Currently a bearer-only client can't have a service account and
that seems
like a mistake. Further this prevents bearer-only clients to use the
authorization services.
Is there any good reasons why bearer-only clients can't have service
accounts and be able to obtain token using the client credential grant?
I assumed
that bearer-only client shouldn't be able to have any tokens
and clientSessions, which are dedicated directly to him. It is just REST
service, which "consumes" the access tokens created for other clients.
Also the flag name "Bearer-only" states exactly this. That's the main
reason why I did it that way for service accounts.
I can't see any big issue with bearer-only client being able to have
service account. There are just few things, which will need to be done
though (eg. tabs "Mappers" and "Scopes" will need to be enabled for
bearer-only clients with enabled service account etc).
Marek
The only thing a bearer-only client should be prevented to do IMO is
authenticate users (authorization code flow and resource owner credential
grant).
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:44 a.m.
Set fix version on the issue to 3.0.0.CR1. It's not critical now, but we
should do it.
On 6 January 2017 at 16:05, Marek Posolda <mposolda(a)redhat.com> wrote:
On 04/01/17 06:46, Stian Thorgersen wrote:
> Currently a bearer-only client can't have a service account and that seems
> like a mistake. Further this prevents bearer-only clients to use the
> authorization services.
>
> Is there any good reasons why bearer-only clients can't have service
> accounts and be able to obtain token using the client credential grant?
>
I assumed that bearer-only client shouldn't be able to have any tokens and
clientSessions, which are dedicated directly to him. It is just REST
service, which "consumes" the access tokens created for other clients. Also
the flag name "Bearer-only" states exactly this. That's the main reason
why
I did it that way for service accounts.
I can't see any big issue with bearer-only client being able to have
service account. There are just few things, which will need to be done
though (eg. tabs "Mappers" and "Scopes" will need to be enabled for
bearer-only clients with enabled service account etc).
Marek
>
> The only thing a bearer-only client should be prevented to do IMO is
> authenticate users (authorization code flow and resource owner credential
> grant).
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
2661
days inactive
2666
days old
6 comments
3 participants
participants (3)
-
Marek Posolda -
Pedro Igor -
Stian Thorgersen