facebook appsecret_proof
179 views
Skip to first unread message
Anatoliy Artemenko
Jul 30, 2021, 2:44:25 AM7/30/21
to Keycloak Dev
Facebook has an option of added security, which could be enabled by the facebook application admins. Enabling this option makes the appsecret_proof parameter required for every API call to the service.
https://developers.facebook.com/docs/graph-api/securing-requests/
I could find no mention of that in this group of internet. So, I added parameter generation to the FacebookIdentityProvider class and would like to create a PR. But before that I think there are two improvements, which are good (but not must) to make:
- make this extension configurable from the KC admin pages
- perhaps the sk var (see below) could be cached. But don't know how to make it so that every adapter would have an own copy of that cached value.
as well as general question: how does the community relate to that improvement? If it is worth adding, I'd need some help to figure out how to solve those two. Worth noting, this change is backwards compatible: presence of this parameters does not brake applications configured not to use the appsecret_proof.
My change could be found here: https://github.com/artemana/keycloak/pull/1/commits/4891390189faa8c7638aaf819c219e48a7aee68d
Václav Muzikář
Aug 9, 2021, 6:55:06 AM8/9/21
to Anatoliy Artemenko, Keycloak Dev
I think that would be a great addition to the Facebook IdP.
As it's backward compatible, IMHO it doesn't need to be configurable as it can be included in every request to FB API. IMHO the perf impact is not that bad so it doesn't need to be cached but I'm not 100% sure without testing it. Maybe we could cache it as a config property if we really needed to.
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/5062f5d7-c8b3-4aea-96ce-e5506614741en%40googlegroups.com.
Václav Muzikář
Senior Software Engineer
Keycloak / Red Hat Single Sign-On
Red Hat Czech s.r.o.
Senior Software Engineer
Keycloak / Red Hat Single Sign-On
Red Hat Czech s.r.o.
Reply all
Reply to author
Forward
0 new messages