Re: [keycloak-user] Keycloak and OAuth 2.0 Resource Owner Password Credentials Grant

From: "Nils Preusker" <n.preusker(a)gmail.com&gt; To: keycloak-user(a)lists.jboss.org Sent: Wednesday, 29 January, 2014 2:56:17 PM Subject: Re: [keycloak-user] Keycloak and OAuth 2.0 Resource Owner Password Credentials Grant Hi Bill, maybe you can elaborate a bit on why you think 4.3 (Resource Owner Password Grant) is a potential security hole. Your assumption - that we want to control our own login screen - is correct.

About your security concern, it is possible to just add fields (like a client id) to 4.3. As far as I'm aware, Saleforce does this with the "client_id" and "client_secret" parameters for API access to salesforce.com . Cheers, Nils On Wed, Jan 29, 2014 at 3:22 PM, Bill Burke < bburke(a)redhat.com > wrote: We do support 4.3, but I'm thinking of removing it as IMO it is a potential security hole. I'm thinking of augmenting 4.3 so that the client additionally has to pass it's own credentials as well as the user's. I guess you want to do this because you want to control your own login screen? IMO, you lose a lot of the benefits of Keycloak by doing this (credential reset, acct mgmt, etc.). Keycloak also allows you to add additional credential types over time without changing your application at all. (i.e. if you wanted to add OTP). On 1/29/2014 6:49 AM, Nils Preusker wrote: > Hi all, > > first of all, congrats on the first alpha release of Keycloak! > > We're looking for a simple and lean way to add the OAuth 2.0 Resource > Owner Password Credentials Grant to a web application written in > JavaScript with a Java/REST backend (JBoss AS 7, planning to switch to > WildFly, JAX-RS etc.). > > Since I didn't find any references in the code or the docs, I'm > wondering: does Keycloak provide an implementation of the Resource Owner > Password Credentials Grant as described in the OAuth Spec > ( http://tools.ietf.org/html/rfc6749#section-4.3 )? In other words, is > there a way to simply send a username and password to the auth server in > exchange for an access token (and optionally a refresh token - from > previous posts I gather this will be added soon...)? > > Cheers, > Nils > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user