[keycloak-dev] Direct grant API enable/disable on per-app instead of realm
Stian Thorgersen
stian at redhat.com
Thu Jan 15 10:38:15 EST 2015
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Thursday, 15 January, 2015 4:18:55 PM
> Subject: Re: [keycloak-dev] Direct grant API enable/disable on per-app instead of realm
>
> I don't know...Once you have one public client that supports direct
> grants with a large enough scope, there's your attack vector.
Well, sure if you enable if for a public client with the full scope it doesn't make much difference. But, currently you can't limit it at all other than turning it off completely.
Also, another thing is that currently we require a redirect-uri to be registered for an app, but that shouldn't be required if an app only uses the direct grant.
>
>
> On 1/15/2015 7:00 AM, Stian Thorgersen wrote:
> > I propose we move the "Direct Grant API" enable/disable from the realm and
> > add it to applications/clients instead. This allows greater control over
> > what is exposed using the direct grant api.
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list