[keycloak-dev] why authenticate clients?

Stian Thorgersen stian at redhat.com
Mon Mar 3 04:33:52 EST 2014


Not sure what you're proposing. Are you saying that we shouldn't authenticate clients at all?

----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Sunday, 2 March, 2014 10:25:21 PM
> Subject: Re: [keycloak-dev] why authenticate clients?
> 
> Ugh sorry, rephrase:
> 
> "I don't think there is a need for authenticated clients if you're doing..."
> 
> On 3/2/2014 5:24 PM, Bill Burke wrote:
> > A good read:
> >
> > http://tools.ietf.org/html/rfc6749#section-3.2.1
> >
> > I was thinking about our current client-secret requirement.  I don't
> > think there is any security hole if you are doing the OAuth protocol
> > over SSL, you are validating redirect_uris and the client sends its
> > "client_id" when obtaining an access token.
> >
> > * Keycloak server ensures the access code is transmitted to a valid site
> > by verifying/validating the redirect_uri sent.
> > * Since you're using HTTPS, the browser ensures the site is valid by
> > checking it's cert.
> > * If you send the "client_id" when obtaining the access token, the auth
> > server can verify that there was no access code substitution.
> >
> > One of the uses described in 3.2.1 is that it is easier to reset a
> > client's credentials than invalidating all the refresh tokens sent to
> > it.  I'm not so sure that is true.  If there were a per-app/per-oauth
> > client Not-Before setting, we could check this on a refresh request.
> >
> > Any counter arguments to these assumptions?  I'm going to see if anybody
> > on the oauth email list will verify these assumptions.
> >
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list