[keycloak-dev] application configuration idea

Bolesław Dawidowicz bdawidow at redhat.com
Fri Sep 20 12:47:59 EDT 2013


In some docs that I read recently the proposed best practice is that app 
is granted only with minimal user registration permission - like Stian 
proposed. Then once the user is created it is his identity used for 
everything when accessing APIs. Then there is no issue with app code 
leakage as it doesn't allow attacker to do anything with the api.

On 09/20/2013 05:05 PM, Stian Thorgersen wrote:
> Maybe there could be an option on the application to mark it as
> client-side, then any applications that are marked as client-side
> would never be granted any oauth permissions?
>
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian at redhat.com> To: "Bill Burke"
>> <bburke at redhat.com> Cc: keycloak-dev at lists.jboss.org Sent: Friday,
>> 20 September, 2013 4:04:36 PM Subject: Re: [keycloak-dev]
>> application configuration idea
>>
>>
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com> To: "Stian Thorgersen"
>>> <stian at redhat.com> Cc: keycloak-dev at lists.jboss.org Sent: Friday,
>>> 20 September, 2013 3:48:05 PM Subject: Re: [keycloak-dev]
>>> application configuration idea
>>>
>>>
>>>
>>> On 9/20/2013 10:29 AM, Stian Thorgersen wrote:
>>>> Can you not just remove the password from the config file
>>>> completely - and pass the password directly using the system
>>>> property?
>>>>
>>>
>>> Config might also include:
>>>
>>> * TOTP Key * Key pair and cert for two-way SSL.
>>
>> Forgot that - with that in mind then encryption + password is a
>> good approach - would be good if it could be enabled/disabled for a
>> realm though
>>
>>>
>>>
>>>> Another related thing, this only works for server-side
>>>> applications/services - for client-side applications the
>>>> application credentials aren't available (if they are an
>>>> attacker can access them by simply downloading the
>>>> application). To my understanding this means we need to support
>>>> the implicit flow for client-side applications?
>>>>
>>>
>>> Depends how the mobile native app wants to do authentication.
>>> Application credentials help prevent spoofing attacks.  i.e.
>>> making the user think they are logging into Bank of America or
>>> something when you're really logging into the attacker's site.
>>> Auth server requires client to authenticate before turning a
>>> access code into an access token.  Mobile is different because
>>> the relationship between user and application is 1 to 1.  I'm not
>>> sure what to do for native mobile apps.
>>
>> I guess if application doesn't have access to anything that's not
>> public it's there's no security implications of the key/secrets to
>> it being leaked. So with that in mind you could still use the full
>> flow for both html5 and mobile (and any other client-side stuff,
>> consoles, desktop apps, etc..)
>>
>>>
>>> -- Bill Burke JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>>
>> _______________________________________________ keycloak-dev
>> mailing list keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________ keycloak-dev mailing
> list keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>



-- 
Bolesław Dawidowicz
JBoss Portal Platform Architect | GateIn Portal Project Lead


More information about the keycloak-dev mailing list