[keycloak-dev] application configuration idea
Bill Burke
bburke at redhat.com
Fri Sep 20 10:48:05 EDT 2013
On 9/20/2013 10:29 AM, Stian Thorgersen wrote:
> Can you not just remove the password from the config file completely - and pass the password directly using the system property?
>
Config might also include:
* TOTP Key
* Key pair and cert for two-way SSL.
> Another related thing, this only works for server-side applications/services - for client-side applications the application credentials aren't available (if they are an attacker can access them by simply downloading the application). To my understanding this means we need to support the implicit flow for client-side applications?
>
Depends how the mobile native app wants to do authentication.
Application credentials help prevent spoofing attacks. i.e. making the
user think they are logging into Bank of America or something when
you're really logging into the attacker's site. Auth server requires
client to authenticate before turning a access code into an access
token. Mobile is different because the relationship between user and
application is 1 to 1. I'm not sure what to do for native mobile apps.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list