[keycloak-dev] usability vs. security
Bill Burke
bburke at redhat.com
Mon Oct 7 10:14:20 EDT 2013
I'd like to have it that when an application is created in the admin
console, the admin can view the exact configuration files needed to
install in their application to enable security.
Unfortunately, this would involve populating application credentials in
the config file which would require exposing the application credentials
through a REST interface albeit secure REST interface.
Do you think it is such a big security hole to allow for this? I've
been trying to keep the mantra to not expose credentials anywhere if
possible, yet this is a very nice security usability feature. We could
even have it that an application password, totp, and/or cert is auto
generated.
Thoughts?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list