[keycloak-dev] why authenticate clients?
Bill Burke
bburke at redhat.com
Fri Mar 7 12:58:23 EST 2014
Okay, I think I've figured out why confidential clients are better.
Hacker could spoof the login page, obtain client credentials, in the
background have a script that performs the login flow. With a public
client, the hacker would be able to get the access token as there is no
protection. With a confidential client, the hacker would not have the
client credentials and would not be able to turn a code into a token.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list