Hey, that all sounds pretty good! So far I was a bit reluctant to use a third party login screen... But on second thought, the argument of being able to add credential types over time without having to change your application sounds pretty compelling.

Would you be interested in working together on a small AngularJS example to showcase the integration of keycloak and client side web-applications?

Cheers,

Nils

On Wed, Jan 29, 2014 at 4:07 PM, Bill Burke <bburke@redhat.com> wrote:

On 1/29/2014 9:56 AM, Nils Preusker wrote:
> Hi Bill,
>
> maybe you can elaborate a bit on why you think 4.3 (Resource Owner
> Password Grant) is a potential security hole.
>

Keycloak has the concept of "scope". Scope is the roles that a client
is allowed to request for. For instance, a user may have "admin"
privileges, but you may not want to grant a token with admin privileges
to specific client.

> Your assumption - that we want to control our own login screen - is
> correct.
>

We're adding style sheets and pluggable themes, maybe that could push
you to move to a Keycloak hosted login screen? I don't know.

> About your security concern, it is possible to just add fields (like a
> client id) to 4.3. As far as I'm aware, Saleforce does this with the
> "client_id" and "client_secret" parameters for API access to

> salesforce.com <http://salesforce.com>.
>

Yes, that's what I'm planning to do.

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user