Direct grants require the client to have access to an user's
credentials. On our specific case, having plain text access to the
account credentials are not viewed as very secure by sysadmins. So,
issuing those tokens and making them individually revokable make sense.
On 20.01.2016 16:32, Bill Burke wrote:
I honestly don't get why you are doing this. I assume you are
familiar
with direct grants. Why aren't these enough? Its just a REST call to
keycloak to obtain a token. Honestly, this seems ridiculous.
On 1/20/2016 9:15 AM, Juraci Paixão Kröhling wrote:
> For Hawkular, we were in the need of a simplified way for a REST client
> to communicate with our backend. After discussing this with Stian, we
> started the "secret-store" module, which was just spun off of Hawkular
> into a "standalone" project.
>
> Secret Store is a module for scenarios where the whole OAuth procedure
> might be undesirable or not feasible on the client side.
>
> The Secret Store has two sides:
>
> 1) a REST endpoint to create opaque tokens backed by OAuth Offline
> Tokens composed of a key and secret;
>
> 2) An Undertow filter/Proxy server, that translates the opaque tokens
> into OAuth bearer tokens, rewriting the incoming request. To your
> backend, it's transparent whether an opaque token or a proper OAuth
> token was used.
>
> More info here:
https://github.com/jpkrohling/secret-store
>
> - Juca.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user