[keycloak-user] Token Exchange “Permission Upgrade”

[Robert Oxspring]

Hi

I’ve been reading about token exchange and wondered if somebody could confirm whether it’s the right choice for my situation...

We have users connecting to a “front end” service and are able to establish an audit trail of who did what. We also have a “back end” service which the end users typically don’t have permission to use, but is needed to power some functions of the “front end” service. 

So far we’ve been using a service token within “front end” to make calls on the “Back end” on behalf of the requesting user. This  correctly allows the user to trigger some restricted back end behaviour without having direct access to the back end service, but means that the backend service has lost track of who it’s operating on behalf of and so the audit trail becomes unclear. 

Would it be viable & sensible to instead have the front end exchange the user token for one that has elevated privileges (that the user doesn’t normally have) to the backend service and use that token to make downstream calls?

The token exchange docs explicitly mention the possibility of using exchange to downgrade permissions, I’m not clear if they can also be used to upgrade permissions as I describe!

https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/token-exchange/token-exchange.adoc

Am I on the right track here or should I be looking at something else entirely?

Thanks,

Rob