[keycloak-dev] application configuration idea

Bill Burke bburke at redhat.com
Fri Sep 20 13:00:57 EDT 2013


We have this option already.  Its called Scopes.  You assign a scope to 
an OAuth Client.  The scope is a set of roles the oauth client is 
allowed to ask for when logging in a user.  So, a mobile native app 
could just have a limited scope and public credentials.

Maybe what could be done is after the OAuth Grant Page, the mobile 
client would be given a token that allows it to register itself and 
create unique credentials with the admin server.

On 9/20/2013 11:05 AM, Stian Thorgersen wrote:
> Maybe there could be an option on the application to mark it as client-side, then any applications that are marked as client-side would never be granted any oauth permissions?
>
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian at redhat.com>
>> To: "Bill Burke" <bburke at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Friday, 20 September, 2013 4:04:36 PM
>> Subject: Re: [keycloak-dev] application configuration idea
>>
>>
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: "Stian Thorgersen" <stian at redhat.com>
>>> Cc: keycloak-dev at lists.jboss.org
>>> Sent: Friday, 20 September, 2013 3:48:05 PM
>>> Subject: Re: [keycloak-dev] application configuration idea
>>>
>>>
>>>
>>> On 9/20/2013 10:29 AM, Stian Thorgersen wrote:
>>>> Can you not just remove the password from the config file completely -
>>>> and
>>>> pass the password directly using the system property?
>>>>
>>>
>>> Config might also include:
>>>
>>> * TOTP Key
>>> * Key pair and cert for two-way SSL.
>>
>> Forgot that - with that in mind then encryption + password is a good approach
>> - would be good if it could be enabled/disabled for a realm though
>>
>>>
>>>
>>>> Another related thing, this only works for server-side
>>>> applications/services - for client-side applications the application
>>>> credentials aren't available (if they are an attacker can access them by
>>>> simply downloading the application). To my understanding this means we
>>>> need to support the implicit flow for client-side applications?
>>>>
>>>
>>> Depends how the mobile native app wants to do authentication.
>>> Application credentials help prevent spoofing attacks.  i.e. making the
>>> user think they are logging into Bank of America or something when
>>> you're really logging into the attacker's site.  Auth server requires
>>> client to authenticate before turning a access code into an access
>>> token.  Mobile is different because the relationship between user and
>>> application is 1 to 1.  I'm not sure what to do for native mobile apps.
>>
>> I guess if application doesn't have access to anything that's not public it's
>> there's no security implications of the key/secrets to it being leaked. So
>> with that in mind you could still use the full flow for both html5 and
>> mobile (and any other client-side stuff, consoles, desktop apps, etc..)
>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list