[keycloak-user] JWT 'sub' claim in client credentials flow
Balazs Kovacs
balazskov at gmail.com
Mon Dec 4 04:40:03 EST 2017
Hi,
I'm experimenting with Keycloak 3.4.1 CR1.
I'm executing a client_credentials flow with a client to get authorized at
a resource server. When authorizing at the resource server,
I'm using the JWT 'sub' claim to identify the subject accessing the
resource server.
Apparently, in this flow the 'sub' claim is getting an ID that I'm not able
to relate to any metadata of the client. I would have expected
the client_id be used as 'sub' but it is not.
Here is a partial access token content I got for client credentials
(client id is used in aud and azp fields below, and not 'sub'):
{
"jti": "417742bc-b374-4457-955b-3a5c5cea1d02",
"exp": 1512377520,
"nbf": 0,
"iat": 1512377220,
"iss": "http://localhost:8081/auth/realms/myrealm",
"aud": "5d8448f9-d7d8-41f9-b0cc-3f8772fca62f",
"sub": "a82751a5-3635-4cd3-941e-e0f38367ea73",
"typ": "Bearer",
"azp": "5d8448f9-d7d8-41f9-b0cc-3f8772fca62f",
...
}
So I have these questions:
- Is there a reason why 'sub' is not 'client_id' in client credentials
flow? Note, that in authorization_code flow the 'sub' claim gets the ID of
the user that I
also see in the Admin Console, as expected.
- If they have to be different, how could I query what 'sub' value will
belong to a client_id without requesting a token on behalf of the client?
For example, can it be somehow retrieved from Admin REST API? (I didn't
find it in the client schema either)
Best Regards,
Balazs Kovacs
More information about the keycloak-user
mailing list