[keycloak-user] Recommendations for protecting REST service with bearer token and basic auth

Bill Burke bburke at redhat.com
Tue Nov 18 10:21:23 EST 2014


How is that any different than our access tokens?

On 11/18/2014 9:40 AM, Juraci Paixão Kröhling wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Any thoughts on that?
>
> My use case is similar to a regular "SaaS", in which I'd provide an
> API key and API secret (or a single token, or ...) to the users, which
> can then use those credentials on simple bash scripts.
>
> - - Juca.
>
>
> On 11/13/2014 05:58 PM, Juraci Paixão Kröhling wrote:
>> On 11/10/2014 02:38 PM, Bill Burke wrote:
>>> With basic auth, you have zero control over the client and
>>> you're handing over credentials to that client.  Simple and easy
>>> for "hello world" apps sure.
>>
>> Would it make sense to add something like Google's "Application
>> Specific Passwords"? This way, it's not the main credentials which
>> are being shared and those can be revoked individually if
>> necessary.
>>
>> An application that is not OAuth capable for some reason could
>> then make use of this.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBCgAGBQJUa1p3AAoJEDnJtskdmzLMPQoH/ijvMSaxeXY5GeDYv+Rfrrua
> UifH2J+bCIB+0YYM/yTCbyiLO1ohFovB4QB9iqkL77OOiFSP9obx8PfxOBTJJuN5
> yDoD7ZBJlnFIUDiN9HmVeDH7x1qiVyTDmUbfo+tfoHfk/QUr0nQ4BfzfSQpe9wk7
> 5SNhBvCxtNRqNG9w52EujlEmLI7cXuBWOz39cKm8AYfVkKnf/2L8M6f9hd7x0uDZ
> y1Va/u42GrHhWXjuVwuSG2hv1xWok92i3LM8xsJst3icSu2kbB9q7WnAA38bq4CN
> 6kE3j/OhNRSY69MyPbPaZNVRJgAK47mcco0/K76x/2cDTai4PI+W1n/FNz4m4Fw=
> =9Lyk
> -----END PGP SIGNATURE-----
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-user mailing list