[keycloak-user] JWT 'sub' claim in client credentials flow
Balazs Kovacs
balazskov at gmail.com
Mon Dec 4 09:01:18 EST 2017
Hi,
Thank you for the quick response.
Having the service account ID there makes sense. I also managed to find the
API to query the service account belonging to the client, so they are not
hidden.
GET /admin/realms/{realm}/clients/{id}/service-account-user
Br,
Balazs
On Mon, Dec 4, 2017 at 11:02 AM, Schuster Sebastian (INST/ESY1) <
Sebastian.Schuster at bosch-si.com> wrote:
> Hi,
>
> That’s probably because Keycloak uses service accounts internally to
> control the role mapping of clients with the client credentials grant. A
> service account is kind of a hidden user, so you get the sub of that
> service account and not of the client itself.
> Not sure this is meant to stay like that, I could imagine also putting the
> client ID in there instead...
>
> Best regards,
> Sebastian
>
> Mit freundlichen Grüßen / Best regards
>
> Dr.-Ing. Sebastian Schuster
>
> Engineering and Support (INST/ESY1)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY | www.bosch-si.com
> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
> Sebastian.Schuster at bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung:
> Dr.-Ing. Rainer Kallenbach, Michael Hahn
>
>
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@
> lists.jboss.org] On Behalf Of Balazs Kovacs
> Sent: Montag, 4. Dezember 2017 10:40
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] JWT 'sub' claim in client credentials flow
>
> Hi,
>
> I'm experimenting with Keycloak 3.4.1 CR1.
>
> I'm executing a client_credentials flow with a client to get authorized at
> a resource server. When authorizing at the resource server, I'm using the
> JWT 'sub' claim to identify the subject accessing the resource server.
>
> Apparently, in this flow the 'sub' claim is getting an ID that I'm not
> able to relate to any metadata of the client. I would have expected the
> client_id be used as 'sub' but it is not.
>
> Here is a partial access token content I got for client credentials
> (client id is used in aud and azp fields below, and not 'sub'):
>
> {
> "jti": "417742bc-b374-4457-955b-3a5c5cea1d02",
> "exp": 1512377520,
> "nbf": 0,
> "iat": 1512377220,
> "iss": "http://localhost:8081/auth/realms/myrealm",
> "aud": "5d8448f9-d7d8-41f9-b0cc-3f8772fca62f",
> "sub": "a82751a5-3635-4cd3-941e-e0f38367ea73",
> "typ": "Bearer",
> "azp": "5d8448f9-d7d8-41f9-b0cc-3f8772fca62f",
> ...
> }
>
> So I have these questions:
>
> - Is there a reason why 'sub' is not 'client_id' in client credentials
> flow? Note, that in authorization_code flow the 'sub' claim gets the ID of
> the user that I also see in the Admin Console, as expected.
>
>
> - If they have to be different, how could I query what 'sub' value will
> belong to a client_id without requesting a token on behalf of the client?
> For example, can it be somehow retrieved from Admin REST API? (I didn't
> find it in the client schema either)
>
> Best Regards,
> Balazs Kovacs
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list