[keycloak-user] KeyCloak Client Credentials pass http header values

Rohit Chowdhary rohit.chowdhary at gmail.com
Mon Sep 9 11:06:58 EDT 2019 

Hi,

Thanks for the guidance of using a custom authenticator. Is there a sample
that I can start with?

Also, to your concern about passing sensitive data in HTTP header: I am
asking the client only to send it for the Auth call with the Client Id and
Client Secret. Once, I get that in initial call, I will have it added to
Access Token and then use it going forward. So, the client is not sending
it in every consecutive requests.
Does that make sense or it is still not secure enough?

I really appreciate your response and thanks for your help.

Regards


On Mon, Sep 9, 2019 at 9:19 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> You could try a custom authenticator (maybe extending some of the built-in
> authenticators you are using) in order to set notes into the authentication
> session.
>
> However, it seems to me you are relying on sensitive information sent
> through HTTP headers that can be easily manipulated.
>
> Regards.
> Pedro Igor
>
> On Fri, Sep 6, 2019 at 5:52 PM Rohit Chowdhary <rohit.chowdhary at gmail.com>
> wrote:
>
>> I want to connect two applications ClientApp, ResourceApp securely on
>> behalf of a user via KeyCloak as the authorization server. User does a
>> login into ClientApp and then ClientApp calls REST APIs on Resource App in
>> the background. I have setup KeyCloak adjacent to ResourceApp and
>> configured ClientApp as a KeyCloak client. ClientApp gets the AccessToken
>> and then calls APIs on the ResourceApp. In this Auth process, I want to
>> communicate some information from ClientApp to ResourceApp via HTTP
>> Headers, so that KeyCloak can add them into the JWT Access Token. (The
>> reason I am trying this approach is that I will not need any user
>> maintenance within the KeyCloak and ResourceApp).
>>
>> Questions: Am I trying to do something that is not possible or allowed in
>> such security setup? Is there a better way to achieve without having to
>> maintain Users and Roles in the KeyCloak server? I want KeyCloak to be
>> just
>> a mechanism to offload token generation and as a security mediator. Or Can
>> I pass the header data from Auth request into the JWT token?
>>
>> I looked into the Client Mappers of KeyCloak, but since there is a
>> redirect
>> or forward within KeyCloak from Auth request to Get Token, the header
>> values are getting lost.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

More information about the keycloak-user mailing list