[keycloak-user] KeyCloak Client Credentials pass http header values

Mon Sep 9 15:37:31 EDT 2019

Hi,

This example [1] [2] may help you to get started.

IMO, still not secure even if those headers are sent only during
authorization requests. Even though you are likely using TLS during the
authorization request and relying on PKCE for binding the code to the
requesting client, you are still giving too much power to your client.

I would just manage roles and users in Keycloak. From Keycloak perspective,
your approach would always mean the client authenticating on its own behalf
what is not true. Your users won't be able to access account service, or be
configured with specific capabilities that are configured/managed on a
per-user basis, etc.

In the end, you are probably complicating things instead of simplifying
your deployment.

[1]
https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi_walkthrough
[2]
https://github.com/keycloak/keycloak/tree/9fb9197b53af1275fad2c3930d21b3020e0ce677/examples/providers/authenticator

On Mon, Sep 9, 2019 at 12:07 PM Rohit Chowdhary <rohit.chowdhary at gmail.com>
wrote:

> Hi,
>
> Thanks for the guidance of using a custom authenticator. Is there a sample
> that I can start with?
>
> Also, to your concern about passing sensitive data in HTTP header: I am
> asking the client only to send it for the Auth call with the Client Id and
> Client Secret. Once, I get that in initial call, I will have it added to
> Access Token and then use it going forward. So, the client is not sending
> it in every consecutive requests.
> Does that make sense or it is still not secure enough?
>
> I really appreciate your response and thanks for your help.
>
> Regards
>
>
> On Mon, Sep 9, 2019 at 9:19 AM Pedro Igor Silva <psilva at redhat.com> wrote:
>
>> Hi,
>>
>> You could try a custom authenticator (maybe extending some of the
>> built-in authenticators you are using) in order to set notes into the
>> authentication session.
>>
>> However, it seems to me you are relying on sensitive information sent
>> through HTTP headers that can be easily manipulated.
>>
>> Regards.
>> Pedro Igor
>>
>> On Fri, Sep 6, 2019 at 5:52 PM Rohit Chowdhary <rohit.chowdhary at gmail.com>
>> wrote:
>>
>>> I want to connect two applications ClientApp, ResourceApp securely on
>>> behalf of a user via KeyCloak as the authorization server. User does a
>>> login into ClientApp and then ClientApp calls REST APIs on Resource App
>>> in
>>> the background. I have setup KeyCloak adjacent to ResourceApp and
>>> configured ClientApp as a KeyCloak client. ClientApp gets the AccessToken
>>> and then calls APIs on the ResourceApp. In this Auth process, I want to
>>> communicate some information from ClientApp to ResourceApp via HTTP
>>> Headers, so that KeyCloak can add them into the JWT Access Token. (The
>>> reason I am trying this approach is that I will not need any user
>>> maintenance within the KeyCloak and ResourceApp).
>>>
>>> Questions: Am I trying to do something that is not possible or allowed in
>>> such security setup? Is there a better way to achieve without having to
>>> maintain Users and Roles in the KeyCloak server? I want KeyCloak to be
>>> just
>>> a mechanism to offload token generation and as a security mediator. Or
>>> Can
>>> I pass the header data from Auth request into the JWT token?
>>>
>>> I looked into the Client Mappers of KeyCloak, but since there is a
>>> redirect
>>> or forward within KeyCloak from Auth request to Get Token, the header
>>> values are getting lost.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>