[keycloak-dev] Implicit and hybrid flow

Stian Thorgersen sthorger at redhat.com
Mon Nov 30 02:28:26 EST 2015 

Sounds good

On 29 November 2015 at 21:27, Marek Posolda <mposolda at redhat.com> wrote:

> On 27/11/15 11:52, Stian Thorgersen wrote:
>
> Is direct grant and implicit disabled by default?
>>
>> Implicit is disabled, but direct grant is enabled by default. This is
>> just for backwards compatibility, as in 1.6, we have direct grant defacto
>> enabled for all clients. If we want to have it disabled by default, we
>> should add big note to migration docs. Or we can have it enabled for all
>> clients migrated from previous version, but keep the switch "off" in admin
>> console for new clients?
>>
>
> On for old, off for new works for me.
>
> Thinking that it's a bit tricky... For example if you import
> testrealm.json with demo example, the direct grants will be enabled for all
> clients, but at the same time the switch for newly created clients will be
> disabled. Looks strange to me.
>
> I wonder that for migration, it is more proper to enable direct grants
> just for the clients, which have "directGrantsOnly" switch enabled? Those
> are most likely clients, which were in previous version used for direct
> grants usecase
>
>
>
>>
>> At least, we have people, who wants to login into admin REST API by
>> default (without need to go to admin-console UI first and enable direct
>> grant for some client), so I guess this possibility should be still kept.
>>
>
> In reality they should not be using the admin console client to do so.
> They should create a separate client for it I think. We need to sort out
> some sort of bootstrapping for it though. Or maybe we have a admin-cli
> client?
>
> +1 for admin-cli client.
>
> So how about this:
> - new clients will have "direct access grant" switch off by default
> - Clients migrated from previous version will have "direct access grant"
> just if they had "direct grants only" enabled. So those clients will have
> "standard=off, direct access grants=on"
> - New builtin client "admin-cli" will be added to each realm. It will be
> public client with "standard=off, implicit=off, directAccessGrants=on" and
> will have same scope like current "security-admin-console"
> - security-admin-console will have directAccessGrants=off . This will be
> done automatically during migration from previous version (as it has
> directGrantsOnly=off in 1.6.1).
> - Big note will be added to migration guide
>
> Marek
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151130/a5159726/attachment.html

More information about the keycloak-dev mailing list