[keycloak-user] Authenticating to a client with another client's service account
Pedro Igor Silva
psilva at redhat.com
Thu Mar 29 08:16:07 EDT 2018
On Thu, Mar 29, 2018 at 5:50 AM, Paolo Tedesco <Paolo.Tedesco at cern.ch>
wrote:
> Hi Marek and Pedro,
>
> Thanks for your answers, I will either try token exchange or just turn off
> audience verification for the time being, and try to assign roles to the
> client for access control.
> I think that "resource" is ADFS specific, I could not find mentions of it
> other than in ADFS documentation.
>
> What do you mean when you say that you will support audience through the
> scope parameter?
> That the token request should contain something like "scope = client ID of
> the target resource"?
>
Based on the scopes you ask you get the right audience(s).
>
> Thanks,
> Paolo
>
> -----Original Message-----
> From: Marek Posolda <mposolda at redhat.com>
> Sent: Monday, 26 March, 2018 20:35
> To: Pedro Igor Silva <psilva at redhat.com>; Paolo Tedesco <
> Paolo.Tedesco at cern.ch>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Authenticating to a client with another
> client's service account
>
> Yes, as Pedro mentioned, I hope that better audience support will be
> available in Keycloak master in next few weeks (or months), so in some next
> beta, it should be available. JIRA is
> https://issues.jboss.org/browse/KEYCLOAK-6638 .
>
> Question: This parameter "resource=client_id_of_the_api" seems to be ADFS
> specific parameter? Or is it mentioned in some specification? We plan to
> support better audience support through "scope" parameter or have it
> available by default (depends on where admin defines protocolMapper for
> audience).
>
> Thanks,
> Marek
>
> On 26/03/18 14:01, Pedro Igor Silva wrote:
> > This is something we are not doing correctly where access tokens are
> > always created with the client as the audience and not the resource
> > server / target service.
> >
> > Marek can give more insights about this but I think this should be
> > fixed by the work he is doing around Client Scopes.
> >
> > Another alternative is use token exchange [1].
> >
> > [1]
> > http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-ex
> > change
> >
> > Regards.
> > Pedro Igor
> >
> > On Fri, Mar 23, 2018 at 12:53 PM, Paolo Tedesco
> > <Paolo.Tedesco at cern.ch>
> > wrote:
> >
> >> I've found out that the problem was in the audience validation of my
> API.
> >> The access token I get from keycloak when I authenticate my
> >> confidential client has always
> >>
> >> aud = confidential_client_id
> >>
> >> How am I supposed to get a token with a difference audience value?
> >> I tried specifying in the POST request to the token endpoint
> >>
> >> resource = client_id_of_the_api
> >>
> >> which works with ADFS 2016, but seems to be ignored by Keycloak.
> >>
> >> Thanks,
> >> Paolo
> >>
> >> -----Original Message-----
> >> From: keycloak-user-bounces at lists.jboss.org
> <keycloak-user-bounces at lists.
> >> jboss.org> On Behalf Of Paolo Tedesco
> >> Sent: Friday, 23 March, 2018 11:11
> >> To: keycloak-user at lists.jboss.org
> >> Subject: [keycloak-user] Authenticating to a client with another
> >> client's service account
> >>
> >> Hi all,
> >>
> >> I have registered two clients in my Keycloak, one is an API (ID =
> >> client_api) and another is a confidential client (ID =
> >> confidential_client), which is a standalone application that should
> >> access the API with its own credentials.
> >> I've set the access type of both API and application to "confidential".
> >>
> >> >From the application, I obtain a token with a POST to
> >> https://keycloak-server/auth/realms/master/protocol/openid-connect/to
> >> ken
> >> with these parameters:
> >>
> >> client_id = confidential_client
> >> client_secret = <confidential client secret> grant_type =
> >> client_credentials
> >>
> >> >From this, I obtain a token, that looks like this:
> >> {
> >> "access_token": "eyJhbG...Z0qmQ"
> >> // other stuff
> >> }
> >>
> >> Then, I try to call my API with an authentication header with
> >>
> >> Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step)
> >>
> >> However, this does not seem to work, and the API acts like the user
> >> is not authenticated.
> >> Any idea of what I'm doing wrong?
> >>
> >> Thanks,
> >> Paolo
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
More information about the keycloak-user
mailing list