[keycloak-dev] Direct grant API enable/disable on per-app instead of realm

Bill Burke bburke at redhat.com
Fri Jan 16 14:27:58 EST 2015


If you set "bearer-only" you don't have to enter in a redirect URI.

On 1/16/2015 12:49 PM, Marek Posolda wrote:
> On 15.1.2015 16:38, Stian Thorgersen wrote:
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: keycloak-dev at lists.jboss.org
>>> Sent: Thursday, 15 January, 2015 4:18:55 PM
>>> Subject: Re: [keycloak-dev] Direct grant API enable/disable on
>>> per-app instead of realm
>>>
>>> I don't know...Once you have one public client that supports direct
>>> grants with a large enough scope, there's your attack vector.
>> Well, sure if you enable if for a public client with the full scope it
>> doesn't make much difference. But, currently you can't limit it at all
>> other than turning it off completely.
>>
>> Also, another thing is that currently we require a redirect-uri to be
>> registered for an app, but that shouldn't be required if an app only
>> uses the direct grant.
> +1, We allow to specify it for oauth client though, but oauth client
> doesn't have it's own roles. So usually if you have oauth client with
> "direct grants only" enabled, you need to give him some scopes to other
> existing application or realm roles, which makes it even less safe.
>
> Also similar case is for recently added Basic authentication support.
> When I have rest application, which should allow to authenticate my rest
> endpoints either with "bearer" or "basic" authentication, it shouldn't
> be needed to have redirect-uri configured for this application.
> Currently it's needed.
>
> IMO we can easily fix it if we allow basic authentication for
> "bearer-only" applications too (as long as they have "enable-basic-auth"
> in adapter config). My understanding of "Bearer only application" is
> kind of application, which can't request it's own access token, but just
> allow rest authentication. So I am not seeing issue with allowing basic
> auth for it.
>
> Marek
>>
>>>
>>> On 1/15/2015 7:00 AM, Stian Thorgersen wrote:
>>>> I propose we move the "Direct Grant API" enable/disable from the
>>>> realm and
>>>> add it to applications/clients instead. This allows greater control
>>>> over
>>>> what is exposed using the direct grant api.
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list