[keycloak-user] JWT 'sub' claim in client credentials flow
Schuster Sebastian (INST/ESY1)
Sebastian.Schuster at bosch-si.com
Mon Dec 4 05:02:13 EST 2017
Hi,
That’s probably because Keycloak uses service accounts internally to control the role mapping of clients with the client credentials grant. A service account is kind of a hidden user, so you get the sub of that service account and not of the client itself.
Not sure this is meant to stay like that, I could imagine also putting the client ID in there instead...
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn
-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Balazs Kovacs
Sent: Montag, 4. Dezember 2017 10:40
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] JWT 'sub' claim in client credentials flow
Hi,
I'm experimenting with Keycloak 3.4.1 CR1.
I'm executing a client_credentials flow with a client to get authorized at a resource server. When authorizing at the resource server, I'm using the JWT 'sub' claim to identify the subject accessing the resource server.
Apparently, in this flow the 'sub' claim is getting an ID that I'm not able to relate to any metadata of the client. I would have expected the client_id be used as 'sub' but it is not.
Here is a partial access token content I got for client credentials (client id is used in aud and azp fields below, and not 'sub'):
{
"jti": "417742bc-b374-4457-955b-3a5c5cea1d02",
"exp": 1512377520,
"nbf": 0,
"iat": 1512377220,
"iss": "http://localhost:8081/auth/realms/myrealm",
"aud": "5d8448f9-d7d8-41f9-b0cc-3f8772fca62f",
"sub": "a82751a5-3635-4cd3-941e-e0f38367ea73",
"typ": "Bearer",
"azp": "5d8448f9-d7d8-41f9-b0cc-3f8772fca62f",
...
}
So I have these questions:
- Is there a reason why 'sub' is not 'client_id' in client credentials flow? Note, that in authorization_code flow the 'sub' claim gets the ID of the user that I also see in the Admin Console, as expected.
- If they have to be different, how could I query what 'sub' value will belong to a client_id without requesting a token on behalf of the client?
For example, can it be somehow retrieved from Admin REST API? (I didn't find it in the client schema either)
Best Regards,
Balazs Kovacs
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list