Created question in FIWARE Q/A platform on 28-03-2017 at 22:03
Please, ANSWER this question AT https://stackoverflow.com/questions/43079778/fiware-keyrock-why-are-the-oauth2-credentials-related-to-apps-if-they-do-not-co

Question:
FIWARE-Keyrock: Why are the OAuth2 credentials related to apps if they do not control access?

Description:
We have a scenario where I want to protect a service X with Wilma PEP Proxy. The service X is registered in Keyrock. The Wilma PEP Proxy contains the PEP credentials generated in Keyrock for service X. An application Y gets access to service X with the proper OAuth2 credentials generated for this specific service (client_id and client_secret from Service X). It is ok. But there is a problem: an application Z also gets access to the service X with different OAuth2 credentials (not the service X credentials)!!

If this is possible, why do we have applications with specific OAuth2 credentials generated in Keyrock if they do not control anything?! It does not make sense!

It is a big security issue, because one intruder can register some application in Keyrock and with tokens generated for this specific application (with its own OAuth2 credentials) this intruder can access all the applications registered in this Keyrock instance!