[keycloak-dev] token exchange

Bill Burke bburke at redhat.com
Tue Aug 15 11:50:01 EDT 2017

On 8/15/17 8:41 AM, Pedro Igor Silva wrote:
> On Mon, Aug 14, 2017 at 10:42 AM, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>     CLI tool I wrote doesn't allow token exchange, yet, but you're
>     correct, I'm thinking of using it to perform token exchange.
>     Our ID tokens are not signed right now.  Also you still need
>     client to client exchange so that you can "downgrade" a token to
>     talk to an untrusted service. I've also added new fine-grain
>     permissions "exchange-from" and "exchange-to".
>     For example, lets say Client A gets token and invokes on service B
>     which needs to invoke on untrusted service C.
> When Client A gets token to invoke Service B, how the "aud" claim in 
> the token looks like for you ? Is it referencing Service B ?
> Asking because I noticed that our access tokens are being issued using 
> the authenticated client in "aud" claim where it should contain (or in 
> addition to other audiences) the target service. A typical scenario 
> for bearer token authentication. Also, our 
> BearerTokenRequestAuthenticator does not seem to validate audience.
> Considering the flow you described, Client A would need a token with 
> Service B as a valid audience in order to be able to start the flow.
"aud" is who the token is created for.  i.e. the audience defines how 
the token is formatted: role mappings, claims, etc.
"azp" is who the token is issued for.  In an exchange situation like 
above "aud" would be Service C, but the "azp" claim would be "B". At 
least, that's how I have it implemented right now.


More information about the keycloak-dev mailing list