[keycloak-user] how retrievie access token only with roles for specific target service(keycloak client)?
Daniel Charczyński
danielcharczynski at o2.pl
Mon Jan 29 06:03:34 EST 2018
Hi
Are there any plans to implement this feature?
Anyone?
2018-01-18 15:36 GMT+01:00 Daniel Charczyński <danielcharczynski at o2.pl>:
>
> Hi
>
> I'd like to talk with you about
>
> https://github.com/keycloak/keycloak/pull/4910
> and
> https://issues.jboss.org/browse/KEYCLOAK-6092
>
> we have CRITICAL security issue that target service is able to receive
> access token with roles to other services so it is able to reuse it.
>
> We need to implement feature thet makes it possible to get access token
> with roles per target service(client in keycloak)
>
> Out idea is to use client roles that requires scope.
> But in order to get all roles assigned from specific target service we
> need to chance current behaviour.
>
> At the moment there is possibility to get specific role using scope
> parameter
>
> <clinetId>/<role-name>
>
> but we need
>
> <clientId>/.*
>
> Have you got any idea to make it possible ASAP?
> We do not want to make any break changes...
>
> maybe we use wildcard instead od regexp like <clientId>/* ?
> Just let me know how to do it in order to be compatible with your future
> plans and make it possible to merge...
>
> Regards
> Daniel
>
>
>
>
>
>
More information about the keycloak-user
mailing list