8:20 p.m.
I'm setting up apiman with Keycloak and have a question that the folks on the apiman
user list suggested I ask here.
In the Wildfly configuration for apiman, I see several entries like this (one for each war
file):
<kc:secure-deployment xmlns:kc="urn:jboss:domain:keycloak:1.0"
name="apiman.war">
<kc:realm>apiman</kc:realm>
<kc:resource>apiman</kc:resource>
<kc:credential name="secret">password</kc:credential>
I'm noticing that they fill in the word "password" here, but in their
instructions they don't specify to replace it with a particular password. My guess is
that this credential is used only for applications that request REST Direct Access Grants,
and that since apiman doesn't do that, they can use a dummy password in this
configuration.
Is it correct that this credential is used only for Direct Access Grants?
6:40 a.m.
I don't know about the specifics of apiman, but this secret is not used
only for direct access grants, in general. All in all, I'm not a big fan
of shipping with a default secret/password (or any security "token").
If that also makes you feel not comfortable, you might want to try to
change the "credential" for the "apiman" client on the
"apiman" realm
via the Keycloak admin console:
- login to the auth console (admin:admin are the default credentials)
- select the apiman realm on the top-left
- select "Clients" and then "apiman"
- select the second tab, "Credentials"
- "Regenerate secret"
This new secret should go into the standalone.xml, as value for all
"kc:credential[name=secret]" whose realm/resource are "apiman".
- Juca.
On 09.12.2015 03:20, Paul Blair wrote:
I'm setting up apiman with Keycloak and have a question that the
folks
on the apiman user list suggested I ask here.
In the Wildfly configuration for apiman, I see several entries like this
(one for each war file):
<kc:secure-deployment xmlns:kc="urn:jboss:domain:keycloak:1.0"
name="apiman.war">
<kc:realm>apiman</kc:realm>
<kc:resource>apiman</kc:resource>
<kc:credential name="secret">password</kc:credential>
I'm noticing that they fill in the word "password" here, but in their
instructions they don't specify to replace it with a particular
password. My guess is that this credential is used only for applications
that request REST Direct Access Grants, and that since apiman doesn't do
that, they can use a dummy password in this configuration.
Is it correct that this credential is used only for Direct Access Grants?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3324
days inactive
3324
days old
1 comments
2 participants
participants (2)
-
Juraci Paixão Kröhling -
Paul Blair