[keycloak-user] how retrievie access token only with roles for specific target service(keycloak client)?
Daniel Charczyński
danielcharczynski at o2.pl
Wed Jan 31 06:34:06 EST 2018
Here are more details about use case
backgroud:
we are using bearer access tokens in case of authorization between services
this is JWT signed by keycloak and contains all roles assignet to this
specific client
we are using "service account" in case of authorization service to service
eg:
if we have following screnario
service A ---> service B
|
|------------- > service C
service A receives JWT with roles to service B and C
If Service A comunicates with B, B is able to reuse this token and
communicate with C as service A
Token that B receives from A is valid and there is possibility to reuse it
That is CRITICAL security issue in my oppinion.
Out plan is to use Roles that requires scope parameter and it is OK for us
but at the moment there is only possibility to query for specific Role but
there is NO possibility to ask keycloak for JWT in with all roles but only
in service B context.
Of course we can use composite roles but this is workaround that requeires
extra maintanence - we do not want to do that in that way
We just need support scope parameter like
*scope = serviceB/**
Regards
Daniel Charczyński
More information about the keycloak-user
mailing list