I’m in need of an authentication & authorization service that can manage our app’s pool of users. I stumbled upon Keycloak and have been checking it for the past few days, but I’m wondering why Keycloak doesn’t provide an API for a client to sign-in/sign-up on behalf of a user.
Is this because Keycloak is exclusively made for Single Sign-On? Or is there a more fundamental reason to it?
I was reading this blogpost about ROPC – https://www.identityserver.com/articles/fact-sheet-the-dangers-of-using-the-password-grant-type-with-mobile-applications – and I was struck by how harsh it was. While I can understand the caution for third-party apps using the authorization service, the author seems to stress that not even first-party client app should be able to authenticate on behalf of the user.
In practice, it seems that some people are trying to get around this by using the admin API. This repo, for instance, logs in to Keycloak as an admin and then creates users out of it. Login is then managed using the highly-discouraged Resource Owner Password Grant. The sign-ups, in particular, isn’t this abusing the admin API? It’s practically giving admin credentials to a client that in the initial design was so untrustworthy that passwords shouldn’t even be inputted there. That’s madness!
In contrast, for example, I found that it seems Amazon Cognito allows this lightly – https://docs.amplify.aws/lib/auth/emailpassword/q/platform/js#sign-up. It even provided support for SDK integration that was displayed under the service’s main page to show “how easy it is to integrate into your app”. Are they simply violating OAUTH guidelines? Or is this actually acceptable practice – to let user input their credentials into your app? Should I even use an IAM for customer-facing applications like an e-commerce?
Thanks a lot.
