[keycloak-user] KeyCloak Client Credentials pass http header values

Mon Sep 9 15:45:50 EDT 2019

Hello Pedro,

What you said makes a lot of sense.
The reason i am trying to avoid that is because of the whole baggage that
would come with provisioning users in KeyCloak and then keeping them
in-sync with the host system (system of record) for those users.
This is a multi-tenant application and will have few hundred tenants and
lots of users.

So, based on your advise, I will have to provision those users in KC in a
realm under different clients, grant them proper roles.
Provide the host systems with Client Id and Secret, so they can
Authenticate with just the UserName in the request header.
Next, i find the user in KC and then put the roles in JWT Access Token from
what is maintained in KC and not rely on host system to provide those to me
in the Auth call.

Please correct me if i am wrong in the explanation above.
I will start looking into the logistics of that implementation.

I really appreciate your help in this matter.

Regards

On Mon, Sep 9, 2019 at 3:37 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> This example [1] [2] may help you to get started.
>
> IMO, still not secure even if those headers are sent only during
> authorization requests. Even though you are likely using TLS during the
> authorization request and relying on PKCE for binding the code to the
> requesting client, you are still giving too much power to your client.
>
> I would just manage roles and users in Keycloak. From Keycloak
> perspective, your approach would always mean the client authenticating on
> its own behalf what is not true. Your users won't be able to access account
> service, or be configured with specific capabilities that are
> configured/managed on a per-user basis, etc.
>
> In the end, you are probably complicating things instead of simplifying
> your deployment.
>
> [1]
> https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi_walkthrough
> [2]
> https://github.com/keycloak/keycloak/tree/9fb9197b53af1275fad2c3930d21b3020e0ce677/examples/providers/authenticator
>
> On Mon, Sep 9, 2019 at 12:07 PM Rohit Chowdhary <rohit.chowdhary at gmail.com>
> wrote:
>
>> Hi,
>>
>> Thanks for the guidance of using a custom authenticator. Is there a
>> sample that I can start with?
>>
>> Also, to your concern about passing sensitive data in HTTP header: I am
>> asking the client only to send it for the Auth call with the Client Id and
>> Client Secret. Once, I get that in initial call, I will have it added to
>> Access Token and then use it going forward. So, the client is not sending
>> it in every consecutive requests.
>> Does that make sense or it is still not secure enough?
>>
>> I really appreciate your response and thanks for your help.
>>
>> Regards
>>
>>
>> On Mon, Sep 9, 2019 at 9:19 AM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> You could try a custom authenticator (maybe extending some of the
>>> built-in authenticators you are using) in order to set notes into the
>>> authentication session.
>>>
>>> However, it seems to me you are relying on sensitive information sent
>>> through HTTP headers that can be easily manipulated.
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>> On Fri, Sep 6, 2019 at 5:52 PM Rohit Chowdhary <
>>> rohit.chowdhary at gmail.com> wrote:
>>>
>>>> I want to connect two applications ClientApp, ResourceApp securely on
>>>> behalf of a user via KeyCloak as the authorization server. User does a
>>>> login into ClientApp and then ClientApp calls REST APIs on Resource App
>>>> in
>>>> the background. I have setup KeyCloak adjacent to ResourceApp and
>>>> configured ClientApp as a KeyCloak client. ClientApp gets the
>>>> AccessToken
>>>> and then calls APIs on the ResourceApp. In this Auth process, I want to
>>>> communicate some information from ClientApp to ResourceApp via HTTP
>>>> Headers, so that KeyCloak can add them into the JWT Access Token. (The
>>>> reason I am trying this approach is that I will not need any user
>>>> maintenance within the KeyCloak and ResourceApp).
>>>>
>>>> Questions: Am I trying to do something that is not possible or allowed
>>>> in
>>>> such security setup? Is there a better way to achieve without having to
>>>> maintain Users and Roles in the KeyCloak server? I want KeyCloak to be
>>>> just
>>>> a mechanism to offload token generation and as a security mediator. Or
>>>> Can
>>>> I pass the header data from Auth request into the JWT token?
>>>>
>>>> I looked into the Client Mappers of KeyCloak, but since there is a
>>>> redirect
>>>> or forward within KeyCloak from Auth request to Get Token, the header
>>>> values are getting lost.
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>