[keycloak-dev] application configuration idea

Stian Thorgersen stian at redhat.com
Fri Sep 20 11:05:34 EDT 2013


Maybe there could be an option on the application to mark it as client-side, then any applications that are marked as client-side would never be granted any oauth permissions?

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 20 September, 2013 4:04:36 PM
> Subject: Re: [keycloak-dev] application configuration idea
> 
> 
> 
> ----- Original Message -----
> > From: "Bill Burke" <bburke at redhat.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-dev at lists.jboss.org
> > Sent: Friday, 20 September, 2013 3:48:05 PM
> > Subject: Re: [keycloak-dev] application configuration idea
> > 
> > 
> > 
> > On 9/20/2013 10:29 AM, Stian Thorgersen wrote:
> > > Can you not just remove the password from the config file completely -
> > > and
> > > pass the password directly using the system property?
> > >
> > 
> > Config might also include:
> > 
> > * TOTP Key
> > * Key pair and cert for two-way SSL.
> 
> Forgot that - with that in mind then encryption + password is a good approach
> - would be good if it could be enabled/disabled for a realm though
> 
> > 
> > 
> > > Another related thing, this only works for server-side
> > > applications/services - for client-side applications the application
> > > credentials aren't available (if they are an attacker can access them by
> > > simply downloading the application). To my understanding this means we
> > > need to support the implicit flow for client-side applications?
> > >
> > 
> > Depends how the mobile native app wants to do authentication.
> > Application credentials help prevent spoofing attacks.  i.e. making the
> > user think they are logging into Bank of America or something when
> > you're really logging into the attacker's site.  Auth server requires
> > client to authenticate before turning a access code into an access
> > token.  Mobile is different because the relationship between user and
> > application is 1 to 1.  I'm not sure what to do for native mobile apps.
> 
> I guess if application doesn't have access to anything that's not public it's
> there's no security implications of the key/secrets to it being leaked. So
> with that in mind you could still use the full flow for both html5 and
> mobile (and any other client-side stuff, consoles, desktop apps, etc..)
> 
> > 
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list