We do support 4.3, but I'm thinking of removing it as IMO it is a
potential security hole. I'm thinking of augmenting 4.3 so that the
client additionally has to pass it's own credentials as well as the
user's.
I guess you want to do this because you want to control your own login
screen? IMO, you lose a lot of the benefits of Keycloak by doing this
(credential reset, acct mgmt, etc.). Keycloak also allows you to add
additional credential types over time without changing your application
at all. (i.e. if you wanted to add OTP).
On 1/29/2014 6:49 AM, Nils Preusker wrote:
Hi all,
first of all, congrats on the first alpha release of Keycloak!
We're looking for a simple and lean way to add the OAuth 2.0 Resource
Owner Password Credentials Grant to a web application written in
JavaScript with a Java/REST backend (JBoss AS 7, planning to switch to
WildFly, JAX-RS etc.).
Since I didn't find any references in the code or the docs, I'm
wondering: does Keycloak provide an implementation of the Resource Owner
Password Credentials Grant as described in the OAuth Spec
(
http://tools.ietf.org/html/rfc6749#section-4.3)? In other words, is
there a way to simply send a username and password to the auth server in
exchange for an access token (and optionally a refresh token - from
previous posts I gather this will be added soon...)?
Cheers,
Nils
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com