[keycloak-user] how retrievie access token only with roles for specific target service(keycloak client)?

[Stian Thorgersen]

Looking at your PR again I see I made a quick conclusion last time as I
thought you where talking about scope query parameter in OIDC, not about
client scopes. For clients scopes it would make sense to have a button that
allows full scope for a specific client. At the moment we have full scope
for everything so that would be a sensible addition.

Could you drop an email about this to the keycloak-dev mailing list? That's
where implementation/contributions discussions belong. I'd like to get the
opinion from the rest of the team, but I'm on board with the idea.

On 31 January 2018 at 12:34, Daniel Charczyński <danielcharczynski at o2.pl>
wrote:

> Here are more details about use case
>
>
> backgroud:
> we are using bearer access tokens in case of authorization between services
> this is JWT  signed by keycloak and contains all roles assignet to this
> specific client
> we are using "service account" in case of authorization service to service
>
>
> eg:
> if we have following screnario
>
> service A   --->  service B
>     |
>     |-------------  > service C
>
> service A receives JWT with roles to service B and C
>
> If Service A comunicates with B, B is able to reuse this token and
> communicate with C as service A
> Token that B receives from A is valid and there is possibility to reuse it
> That is CRITICAL security issue in my oppinion.
>
> Out plan is to use Roles that requires scope parameter and it is OK for us
> but at the moment there is only possibility to query for specific Role but
> there is NO possibility to ask keycloak for JWT in with all roles but only
> in service B context.
>
> Of course we can use composite roles but this is workaround that requeires
> extra maintanence - we do not want to do that in that way
>
> We just need support scope parameter like
>
> *scope = serviceB/**
>
>
> Regards
> Daniel Charczyński
>
>
>
>
>