[keycloak-dev] Direct grant always on
Marek Posolda
mposolda at redhat.com
Wed Jun 3 02:53:09 EDT 2015
Yeah, I think you're right when thinking more about it. So +1 from me as
well :-)
Marek
3.6.2015 08:24, Stian Thorgersen wrote:
> IMO it's needed by default and shouldn't be an extra config option.
>
> OAuth2 spec says to limit it's use yes, but that's so there's less passwords flying around. Problem is that spec only provides a good solution for web and nothing else. So for CLIs (and even some native apps) you're left with using username+password.
>
> Initially it was disabled by default as we thought there was some security implications. However, given a users username and password someone can just the same endpoints as the web based login does. They do pretty much the same thing when invoked from a script, just less user friendly. I.e. curl ../openid-connect/login, scrape the csrf protection value, post it with username and password, then crab the code from the redirect. Anyone that has access to swap the code for the token, would also have access to invoking the direct grant endpoint.
>
> ----- Original Message -----
>> From: "Marek Posolda" <mposolda at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>, "keycloak dev" <keycloak-dev at lists.jboss.org>
>> Sent: Tuesday, 2 June, 2015 4:19:41 PM
>> Subject: Re: [keycloak-dev] Direct grant always on
>>
>> Maybe we can have it "true" by default, as it will likely save a lot of
>> pain to many people. However I would not remove it as at least OAuth2
>> specs doesn't like it very well (Especially see 10.7
>> https://tools.ietf.org/html/rfc6749#page-57 ).
>>
>> Maybe better alternative is to have the possibility to enable it for
>> master realm with something like the keycloak-bootstrap.json file, which
>> was planned to be added at some point (or maybe even have the option in
>> keycloak-server.json) ?
>>
>> Marek
>>
>> On 2.6.2015 15:04, Stian Thorgersen wrote:
>>> I propose we remove the option to enable/disable direct grant and always
>>> have it on. Alternatively we need an option to enable it without using the
>>> admin console.
>>>
>>> This is for users that want to use a CLI, or needs to do some automatic
>>> configuration when provisioning a KC.
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
More information about the keycloak-dev
mailing list