[keycloak-dev] Direct grant API enable/disable on per-app instead of realm

Marek Posolda mposolda at redhat.com
Fri Jan 16 12:49:23 EST 2015


On 15.1.2015 16:38, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Thursday, 15 January, 2015 4:18:55 PM
>> Subject: Re: [keycloak-dev] Direct grant API enable/disable on per-app instead of realm
>>
>> I don't know...Once you have one public client that supports direct
>> grants with a large enough scope, there's your attack vector.
> Well, sure if you enable if for a public client with the full scope it doesn't make much difference. But, currently you can't limit it at all other than turning it off completely.
>
> Also, another thing is that currently we require a redirect-uri to be registered for an app, but that shouldn't be required if an app only uses the direct grant.
+1, We allow to specify it for oauth client though, but oauth client 
doesn't have it's own roles. So usually if you have oauth client with 
"direct grants only" enabled, you need to give him some scopes to other 
existing application or realm roles, which makes it even less safe.

Also similar case is for recently added Basic authentication support. 
When I have rest application, which should allow to authenticate my rest 
endpoints either with "bearer" or "basic" authentication, it shouldn't 
be needed to have redirect-uri configured for this application. 
Currently it's needed.

IMO we can easily fix it if we allow basic authentication for 
"bearer-only" applications too (as long as they have "enable-basic-auth" 
in adapter config). My understanding of "Bearer only application" is 
kind of application, which can't request it's own access token, but just 
allow rest authentication. So I am not seeing issue with allowing basic 
auth for it.

Marek
>
>>
>> On 1/15/2015 7:00 AM, Stian Thorgersen wrote:
>>> I propose we move the "Direct Grant API" enable/disable from the realm and
>>> add it to applications/clients instead. This allows greater control over
>>> what is exposed using the direct grant api.
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list