[keycloak-user] Recommendations for protecting REST service with bearer token and basic auth

Juraci Paixão Kröhling juraci at kroehling.de
Tue Nov 18 09:40:55 EST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Any thoughts on that?

My use case is similar to a regular "SaaS", in which I'd provide an
API key and API secret (or a single token, or ...) to the users, which
can then use those credentials on simple bash scripts.

- - Juca.


On 11/13/2014 05:58 PM, Juraci Paixão Kröhling wrote:
> On 11/10/2014 02:38 PM, Bill Burke wrote:
>> With basic auth, you have zero control over the client and
>> you're handing over credentials to that client.  Simple and easy
>> for "hello world" apps sure.
> 
> Would it make sense to add something like Google's "Application 
> Specific Passwords"? This way, it's not the main credentials which
> are being shared and those can be revoked individually if
> necessary.
> 
> An application that is not OAuth capable for some reason could
> then make use of this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCgAGBQJUa1p3AAoJEDnJtskdmzLMPQoH/ijvMSaxeXY5GeDYv+Rfrrua
UifH2J+bCIB+0YYM/yTCbyiLO1ohFovB4QB9iqkL77OOiFSP9obx8PfxOBTJJuN5
yDoD7ZBJlnFIUDiN9HmVeDH7x1qiVyTDmUbfo+tfoHfk/QUr0nQ4BfzfSQpe9wk7
5SNhBvCxtNRqNG9w52EujlEmLI7cXuBWOz39cKm8AYfVkKnf/2L8M6f9hd7x0uDZ
y1Va/u42GrHhWXjuVwuSG2hv1xWok92i3LM8xsJst3icSu2kbB9q7WnAA38bq4CN
6kE3j/OhNRSY69MyPbPaZNVRJgAK47mcco0/K76x/2cDTai4PI+W1n/FNz4m4Fw=
=9Lyk
-----END PGP SIGNATURE-----


More information about the keycloak-user mailing list