[keycloak-user] Using urn:ietf:wg:oauth:2.0:oob

Stian Thorgersen sthorger at redhat.com
Thu Aug 22 03:08:13 EDT 2019 

Not quite following your use-case. What type of application are
you referring to?

urn:ietf:wg:oauth:2.0:oob is generally useful for a CLI where there is no
browser. It will make Keycloak output the authorization code and the user
is required to copy/paste this to the application that can then use it to
obtain tokens.

OAuth 2.0 device authorization grant is a slightly better flow than the
above. We have a open design proposal for it here
https://github.com/keycloak/keycloak-community/pull/6, but so far we don't
have any contributions around it.

Finally, you can also use OAuth2 resource owner credential grant which
allows exchanging user credentials directly with a token without redirect.
This flow is rather limited do as you need to hardcode credential
collection in the application which makes it not very flexible (no support
for webauthn in the future, no support for identity brokering, etc..). It
also poses a security risk as you are exposing user credentials directly to
the applications, which will give applications potential to access
everything the user can and not just what the user can access for the
specific application, which is not great in a SSO scenario.

On Wed, 21 Aug 2019 at 12:55, Frans van Niekerk <frans.vanniekerk at gmail.com>
wrote:

> I am investigating the possibility to obtain the authorisation code from
> another channel to hopefully remove the need to have the user log into
> keycloak from a redirect the client initiated.
>
> It does seem like section 2.4.5 Redirect URLs (specifically the use of
> urn:ietf:wg:oauth:2.0:oob) allows for this.
>
> Where in Keycloak can the the authorisation token be obtained in this case?
> Can it be requested via API from another trusted application?
>
> Is it possible for a user to setup consent beforehand, then when the client
> asks for authorisation it is returned immediately instead of waiting for
> user interaction?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list