[keycloak-dev] why authenticate clients?
Stian Thorgersen
stian at redhat.com
Mon Mar 10 05:57:10 EDT 2014
That's at least one ;)
Confidential clients are always going to be more secure, but public clients are a requirement so whatever we can do to make them more secure would be great. At some point confidential clients needs to be exposed to a browser though, and that means they will need some way of securing the public client. Even a http-only cookie is still vulnerable. For example if there's an exploit in the browser, or the hacker gains read access to the file-system, it would be relatively easy to extract the refresh token from the cookie.
End of the day there's a few things that are outside of our control:
* Exploits in browsers
* Hackers that gain access to file-system
* Users that don't check the URL (and https certificate)
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Marek Posolda" <mposolda at redhat.com>, "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 7 March, 2014 5:58:23 PM
> Subject: Re: [keycloak-dev] why authenticate clients?
>
> Okay, I think I've figured out why confidential clients are better.
> Hacker could spoof the login page, obtain client credentials, in the
> background have a script that performs the login flow. With a public
> client, the hacker would be able to get the access token as there is no
> protection. With a confidential client, the hacker would not have the
> client credentials and would not be able to turn a code into a token.
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-dev
mailing list