[keycloak-user] Question about application of protocol mappers when requesting an RPT
Francisco José Bermejo Herrera
francisco.bermejo.herrera at tecsisa.com
Thu Oct 4 10:33:20 EDT 2018
Hello,
Why are protocol mappers belonging to the token's Authorized Party (azp)
applied when requesting an RPT instead of those belonging to its Audience
(aud)?
For example, when a Token Exchange is performed, the mappers belonging to
the new Audience are applied, not the Authorized Party ones.
Concretely, we have detected that this behavior is being enforced at this
line of code:
AuthorizationTokenService.java#L248
<https://github.com/keycloak/keycloak/blob/24e60747b694ab4d03e8e1cbf8e4da764337ff48/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java#L248>
Is that correct? Shouldn't mappers belonging to the Audience be applied
instead?
Thank you in advance!
More information about the keycloak-user
mailing list