[keycloak-user] KeyCloak Client Credentials pass http header values

[Pedro Igor Silva]

Hi,

You could try a custom authenticator (maybe extending some of the built-in
authenticators you are using) in order to set notes into the authentication
session.

However, it seems to me you are relying on sensitive information sent
through HTTP headers that can be easily manipulated.

Regards.
Pedro Igor

On Fri, Sep 6, 2019 at 5:52 PM Rohit Chowdhary <rohit.chowdhary at gmail.com>
wrote:

> I want to connect two applications ClientApp, ResourceApp securely on
> behalf of a user via KeyCloak as the authorization server. User does a
> login into ClientApp and then ClientApp calls REST APIs on Resource App in
> the background. I have setup KeyCloak adjacent to ResourceApp and
> configured ClientApp as a KeyCloak client. ClientApp gets the AccessToken
> and then calls APIs on the ResourceApp. In this Auth process, I want to
> communicate some information from ClientApp to ResourceApp via HTTP
> Headers, so that KeyCloak can add them into the JWT Access Token. (The
> reason I am trying this approach is that I will not need any user
> maintenance within the KeyCloak and ResourceApp).
>
> Questions: Am I trying to do something that is not possible or allowed in
> such security setup? Is there a better way to achieve without having to
> maintain Users and Roles in the KeyCloak server? I want KeyCloak to be just
> a mechanism to offload token generation and as a security mediator. Or Can
> I pass the header data from Auth request into the JWT token?
>
> I looked into the Client Mappers of KeyCloak, but since there is a redirect
> or forward within KeyCloak from Auth request to Get Token, the header
> values are getting lost.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>