On 1/29/2014 9:56 AM, Nils Preusker wrote:
Hi Bill,
maybe you can elaborate a bit on why you think 4.3 (Resource Owner
Password Grant) is a potential security hole.
Keycloak has the concept of "scope". Scope is the roles that a client
is allowed to request for. For instance, a user may have "admin"
privileges, but you may not want to grant a token with admin privileges
to specific client.
Your assumption - that we want to control our own login screen - is
correct.
We're adding style sheets and pluggable themes, maybe that could push
you to move to a Keycloak hosted login screen? I don't know.
About your security concern, it is possible to just add fields (like
a
client id) to 4.3. As far as I'm aware, Saleforce does this with the
"client_id" and "client_secret" parameters for API access to
salesforce.com <
http://salesforce.com>.
Yes, that's what I'm planning to do.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com