[keycloak-user] Keycloak and OAuth 2.0 Resource Owner Password Credentials Grant
Bill Burke
bburke at redhat.com
Wed Jan 29 09:22:30 EST 2014
We do support 4.3, but I'm thinking of removing it as IMO it is a
potential security hole. I'm thinking of augmenting 4.3 so that the
client additionally has to pass it's own credentials as well as the
user's.
I guess you want to do this because you want to control your own login
screen? IMO, you lose a lot of the benefits of Keycloak by doing this
(credential reset, acct mgmt, etc.). Keycloak also allows you to add
additional credential types over time without changing your application
at all. (i.e. if you wanted to add OTP).
On 1/29/2014 6:49 AM, Nils Preusker wrote:
> Hi all,
>
> first of all, congrats on the first alpha release of Keycloak!
>
> We're looking for a simple and lean way to add the OAuth 2.0 Resource
> Owner Password Credentials Grant to a web application written in
> JavaScript with a Java/REST backend (JBoss AS 7, planning to switch to
> WildFly, JAX-RS etc.).
>
> Since I didn't find any references in the code or the docs, I'm
> wondering: does Keycloak provide an implementation of the Resource Owner
> Password Credentials Grant as described in the OAuth Spec
> (http://tools.ietf.org/html/rfc6749#section-4.3)? In other words, is
> there a way to simply send a username and password to the auth server in
> exchange for an access token (and optionally a refresh token - from
> previous posts I gather this will be added soon...)?
>
> Cheers,
> Nils
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list