Re: [keycloak-dev] Pairwise clients and authorization services
We did not consider subject type pairwise in authorization services, we
need to review this ...
If we can resolve local sub from the a pairwise subject type, I think this
is the best way to go. But pairwise is using SHA26, right ?
I also noticed you are the main contributor of subject pairwise, any
specific reason why we are not using encryption ?
Regards.
Pedro Igor
On Mon, Feb 19, 2018 at 11:40 AM, Martin Hardselius <
martin.hardselius(a)gmail.com> wrote:
Hi,
It seems like authorization services break when using them with a pairwise
enabled client. I've not investigated the full extent of this but long
story short, the sub from the token is used in token validation and in
org.keyclak.authorization.common.KeycloakIdentity for some comparisons.
Steps to reproduce:
1. Create pairwise a client with authorization enabled
3. Get access token (client_credentials)
3, Try post a new resource_set
I'm not sure what the best way to fix this is.
1. Re-write token validation and KeycloakIdentity to not rely on the sub in
the token,
2. Re-write the pairwise protocol mapper to ignore service accounts (feels
like putting make-up on a pig), or
3. "terminate" pairwise subs, replacing them with the internal sub, before
further processing.
Thoughts?
Regards,
Martin
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev