[keycloak-user] Recommendations for protecting REST service with bearer token and basic auth

Juraci Paixão Kröhling juraci at kroehling.de
Thu Nov 13 11:58:39 EST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 11/10/2014 02:38 PM, Bill Burke wrote:
> With basic auth, you have zero control over the client and you're 
> handing over credentials to that client.  Simple and easy for
> "hello world" apps sure.

Would it make sense to add something like Google's "Application
Specific Passwords"? This way, it's not the main credentials which are
being shared and those can be revoked individually if necessary.

An application that is not OAuth capable for some reason could then
make use of this.

- - Juca.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJUZOM/AAoJEDnJtskdmzLMtdAH/1tdg0ExaN6muEyAqzKEH7J4
5dRhwMa5wgmb0NBNa4eu/zM4Cze7NGM4iiJgAgyqj/BsAcacNec8lo8Ri0d2H6sH
khGifXhRlbfgYOSR4rnzbc6RuaCtE9YIhzrWWlXR26bXQTRiIwIYB35onVGQpC9b
39CrQripOlhW5fR4TZdKuK2k9TeKHQL5WN6/Vw41Yzor+MzhN38WZnyYg2csTn9O
wRwHO1SF2f4MzGYOgbkP8UJWg5/WQQyeVbbjzPtl+OgMoxbexJzmDSGvr/D1WFFR
IZJPL2C8JdyAo9XQy8WVSEjBfU6vek2haLlfFyAHj00d/om6VT3MdpFgqz4wL+I=
=5kU0
-----END PGP SIGNATURE-----


More information about the keycloak-user mailing list