[keycloak-user] OpenID Connect support
Iván Perdomo
ivan at akvo.org
Fri Oct 31 11:49:52 EDT 2014
Wouldn't just using the
https://<KEYCLOAK-SERVER>/auth/realms/<REALM-NAME> a way to meet the
specification but also enable the multi-tenant behavior in Keycloak ?
Just an idea
On Fri, 31 Oct 2014 11:41:34 -0400
Bill Burke <bburke at redhat.com> wrote:
> realm name by itself is a valid URL, its just not a url with a scheme.
>
> On 10/31/2014 8:41 AM, prab rrrr wrote:
> > Read the spec once again and agree to your point that access code
> > can only be used once. Regarding "iss", as long as realm name is
> > replaced by URL, it should be good. I will do some more testing
> > today, mostly on validating the signature of the token and will let
> > you know if I find any discrepancies.
> >
> > Thanks once again, for the response and explanation.
> >
> >
> > On Thursday, October 30, 2014 8:53 PM, Bill Burke
> > <bburke at redhat.com> wrote:
> >
> >
> > Section 3 does mention that the issuer is a URL using HTTPS, but
> > this URL does not have to match the token endpoint URL. It is just
> > a unique identifier for the issuer. That's it.
> >
> > Maybe I'm just not understanding OIDC, but what you are describing
> > for "aud" and "azp" doesn't make sense to me. An ID Token is not
> > an access token. Its not something you pass around to use for
> > authz. Neither do you pass around access codes. Access codes are
> > only usable once.
> >
> > Keycloak just doesn't support multiple audiences. When an oauth
> > client is registered, a set of valid redirect uri patterns are
> > associated with it. You cannot associate a client with another
> > client. The ID Token will only ever contain one client_id in the
> > "aud" and the "azp" will always be blank because its an optional
> > setting.
> >
> > We support narrowed "trust" by role scope mappings. When an access
> > token is created for a specific client, it is only granted
> > permissions that are configured for that client's scope. For
> > example:
> >
> > * Service 'A' has roles of "user" and "admin"
> > * Service 'B' has roles of "admin" and "analyst"
> > * User has a role mapping of A.user, A.admin, B.admin, B.analyst
> > * Oauth client "C" is registered with a role scope mapping of A.user
> > * Oauth client 'C' initiates a token request on behalf of the User,
> > it gets an access token only with a permission of 'A.user' even
> > though the user has other permissions. So it wouldn't be able to
> > access Service 'B' at all.
> >
> >
> >
> > On 10/30/2014 6:42 PM, Raghuram wrote:
> > > Hi Bill - here is my understanding of the spec:
> > >
> > > Section 3.1.3.7 of the core spec says that clients must validate
> > > the
> > id tokens. The third point of the same section says that "aud" can
> > contain more than 1 element in which case the fourth point says
> > that the client should verify that "azp" is present and the fifth
> > point says azp should be verified against the client id
> > >
> > > Now when an oauth client registers, it can specify multiple
> > > redirect
> > Uris, corresponding to diff oauth clients that wish to participate
> > in a single sign on. When a user tries to access first client and
> > he is authenticated, the client just gets a code. If the code is
> > passed to the second client ( the first client could be web app and
> > the second client could be a database service) then the second
> > client could get an Idtoken. The auth server (key cloak in this
> > case) would then list all the client ids in "aud" and specify the
> > second client in "azp" which will be validated by the second client.
> > >
> > > The above is a valid use case in our organization
> > > ( authentication
> > delegation). It gives flexibility to the apps ( especially sensitive
> > ones) to pick the apps they trust rather than just participate in an
> > organization wide single sign on.
> > >
> > > Section 3 (openID provider metadata) of the discovery spec
> > > mentions
> > that issuer is a url using https.
> > >
> > > Hope I make sense.
> > >
> > > Thanks.
> > > Sent from my iPhone
> > >
> > >> On Oct 30, 2014, at 4:58 PM, Bill Burke <bburke at redhat.com
> > <mailto:bburke at redhat.com>> wrote:
> > >>
> > >> Ivan, btw, looking at the library you are using, validation of
> > >> the
> > ID token is optional.
> > >>
> > >>> On 10/30/2014 4:15 PM, Raghuram wrote:
> > >>> I tested with libraries based on Apache Oltu and even I noticed
> > that realm name is being sent in the Idtoken under "iss". "aud" is
> > null when I included multiple redirect Uris which is breaking the
> > validation (as per openid spec). "azp" is not being sent (it is
> > optional unless more than 1 client is registered) - expect that to
> > be sent once I register two clients.
> > >> "aud" has been fixed in master.
> > >>
> > >> "iss" still is the realm name. This is just a unique
> > >> identifier for
> > the realm. And there is nothing in the spec that I could find that
> > states that it must match the token endpoint URL. It just has to
> > be a URL that uniquely identifies the issuer. It is something that
> > is configured, or, found during OIDC discovery.
> > >>
> > >> "AZP
> > >> Your interpretation of AZP is not my interpretation of AZP. #1.
> > AZP is optional, we don't have to include it at all. #2 It would
> > only have the value of the client that requested the token. In
> > Keycloak, ID Tokens are generated and only given to one audience.
> > >>
> > >>
> > >>> Used /account for userinfo end point that didn't work. Will
> > >>> provide
> > more feedback as I continue to test
> > >>
> > >> As I said before, we do not support userinfo yet. Our access
> > >> tokens
> > are Json Web Signatures signed by the realm and the content is an
> > extended version of ID Tokens that contains additional keycloak
> > metadata.
> > >>
> > >>> Fyi -My libraries were tested completely against a server
> > implementation based on Mitre's open Id connect and they are good.
> > >>
> > >> It's on the roadmap to expand our OIDC support beyond the
> > >> minimal
> > requirements and to validate it against other implementations. Just
> > haven't gotten to it yet.
> > >>
> > >>
> > >> --
> > >> Bill Burke
> > >> JBoss, a division of Red Hat
> > >> http://bill.burkecentral.com <http://bill.burkecentral.com/>
> >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com <http://bill.burkecentral.com/>
> >
> >
>
--
Iván
More information about the keycloak-user
mailing list