[keycloak-dev] Keycloak as OAuth 2 compliant authorization server?

Matt Wringe mwringe at redhat.com
Tue Aug 27 15:22:32 EDT 2013


On 27/08/13 02:20 PM, Bill Burke wrote:
> Well, you need to remember that OAuth 2 is a framework and not a
> complete protocol.  The actual authentication part with the auth server
> is the most "flexible" part of the API.  I'd like to follow it as
> closely as possible though.

Yep, agreed. OAuth does not provide a complete protocol and leaves a lot 
of stuff to the implementors to decide. It also makes a lot of stuff 
optional and allows for custom extensions. It does however clearly 
defined some areas and provides a defined protocol for them.

Unfortunately we are not exactly in line with the specification in all 
areas and would need to make some changes to become compliant.

I am assuming that trying to 'follow it as closely as possible' means we 
do want to be compliant and that issues should be filled where it does 
not follow the defined sections?

>
> On 8/23/2013 4:39 PM, Matt Wringe wrote:
>> Could someone please clarify if one of the goals of keycloak is to
>> provide an oauth 2.0 compliant authorization server?
>>
>> I am trying to figure out if I should be filing bugs and submitting
>> patches, or if keycloak is only meant to have a oauth like semblance.
>>
>> Thanks,
>>
>> Matt Wringe
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>



More information about the keycloak-dev mailing list