[keycloak-user] cascaded microservice security

Bill Burke bburke at redhat.com
Wed Dec 16 16:00:28 EST 2015 


On 12/16/2015 10:30 AM, Dirk Franssen wrote:
> Hi,
>
> as I didn't receive any feedback on this question yet, I will resend it
> (perhaps due to pending subscription)
>
> On Tue, Dec 8, 2015 at 12:09 PM, Dirk Franssen <dirk.franssen at gmail.com
> <mailto:dirk.franssen at gmail.com>> wrote:
>
>     Hi,
>
>     how would one configure Keycloak to obtain following scenario's?
>
>     Scenario 1:
>
>     client A: public (angular app)
>     client B: bearer-only (microservice)
>     client C: bearer-only (microservice)
>
>     - microservice B is allowed to call microservice C, but an
>     authenticated user in the js app A should be forbidden to call
>     microservice C directly.
>

Clients request to obtain tokens on behalf of a user.  Via the scope 
setting in the admin console for the client, you can control what roles 
are embedded in the token.  So, in this example, it really depends how 
the token was created.  If Client A asks for the token, you can 
completely control what roles are embedded in the token, so you can only 
allow access to B.  But, if you are expecting to re-use the token to 
make an extra communication to C, then it won't work.  Keycloak doesn't 
have a "token exchange" service where you can take one token and convert 
it to another.


>     Scenario 2:
>
>     client A: public (angular app)
>     client B: confidential (1 war with a REST service AND a JSF
>     application, both using the same EJB business layer which is
>     accessing microservice C)
>     client C: bearer-only (microservice)
>
>     - a user authenticated in the angular app can use the REST service
>     of app B and will see the results of microservice C, but the user
>     may not call microservice C directly
>     - a user authenticated in the JSF application will see the results
>     of microservice C when using the JSF application, but should not be
>     able to use microservice C directly (if the user would reuse the
>     same access_token)
>     - should there be different roles for the REST part and the JSF part
>     of app B (for accessing microservice C)?
>

Play around with AdminConsole->Clients->Client->Scope Mapping.  It will 
get you some of what you want, but not all.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list