Hi Bill,
maybe you can elaborate a bit on why you think 4.3 (Resource Owner Password
Grant) is a potential security hole.
Your assumption - that we want to control our own login screen - is
correct.
About your security concern, it is possible to just add fields (like a
client id) to 4.3. As far as I'm aware, Saleforce does this with the
"client_id" and "client_secret" parameters for API access to
salesforce.com.
Cheers,
Nils
On Wed, Jan 29, 2014 at 3:22 PM, Bill Burke <bburke(a)redhat.com> wrote:
We do support 4.3, but I'm thinking of removing it as IMO it is
a
potential security hole. I'm thinking of augmenting 4.3 so that the
client additionally has to pass it's own credentials as well as the
user's.
I guess you want to do this because you want to control your own login
screen? IMO, you lose a lot of the benefits of Keycloak by doing this
(credential reset, acct mgmt, etc.). Keycloak also allows you to add
additional credential types over time without changing your application
at all. (i.e. if you wanted to add OTP).
On 1/29/2014 6:49 AM, Nils Preusker wrote:
> Hi all,
>
> first of all, congrats on the first alpha release of Keycloak!
>
> We're looking for a simple and lean way to add the OAuth 2.0 Resource
> Owner Password Credentials Grant to a web application written in
> JavaScript with a Java/REST backend (JBoss AS 7, planning to switch to
> WildFly, JAX-RS etc.).
>
> Since I didn't find any references in the code or the docs, I'm
> wondering: does Keycloak provide an implementation of the Resource Owner
> Password Credentials Grant as described in the OAuth Spec
> (
http://tools.ietf.org/html/rfc6749#section-4.3)? In other words, is
> there a way to simply send a username and password to the auth server in
> exchange for an access token (and optionally a refresh token - from
> previous posts I gather this will be added soon...)?
>
> Cheers,
> Nils
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user