10:35 a.m.
On Fri, Jul 28, 2017 at 5:24 PM, Bill Burke <bburke(a)redhat.com> wrote:
I've implemented a simple token exchange API [1] that allows you
to
exchange an access token created for one client to another client. The
REST API follows the oauth token exchange api [2] very loosely.
subject_token: a keycloak access token
audience: takes a client id
It then converts the access token created for one client and converts it
to another. It lives under the token endpoint.
The security model is as follows:
* Authenticate calling client the same way as password grant.
* The calling client must have service account enabled
* Service account must have a realm role "token-exchanger" grant edto it
or, it must have a client role "token-exchanger" granted to it. This
exchanger client role is a role defined by the target client you are
exchanging the token to.
Is this a good security model? I'm thinking of not creating these roles
right now and to enable support for exchange would require defining the
roles specified above.
I think roles are too coarse-grained to represent this kind of policy. A
better option would be to explicitly define the clients that are allowed to
exchange tokens for a particular resource server. Eg.:
RS A allows Client B, C and D to exchange their tokens where the target
audience is RS A (or if using "resource", a specific resource in RS A).
Future work would be to have an additional subject_issuer and
requested_issuer parameters. "subject_issuer" would match to a broker
alias, so you could exchange a facebook token for a keycloak realm
token. Same thing goes for "requested_issuer". This would allow you to
exchange a Keycloak token for a facebook token or some other registered
broker.
I'm following your discussion in OAuth2 WG. Do we really need these
additional paramerters ?
My understanding from the specs is that:
* Facebook -> Keycloak Realm
If you pass a "subject_token_type" like
"urn:keycloak:params:oauth:token-type:broker-{ALIAS}", where {ALIAS} is the
alias of the broker configured to your realm. Assuming {ALIAS} maps to a
Facebook broker in your realm, you probably know how to exchange the FB
opaque access token to a Keycloak realm token.
* Keycloak -> Facebook
If you pass a "requested_token_type" like
"urn:keycloak:params:oauth:token-type:broker-{ALIAS}", where {ALIAS} is the
alias of the broker configured to your realm. Assuming {ALIAS} maps to a
Facebook broker in your realm, you probably know how to exchange the
Keycloak token to a FB token.
Or are you thinking about something else ?
[1] https://github.com/keycloak/keycloak/pull/4362
[2] http://www.ietf.org/id/draft-ietf-oauth-token-exchange-09.txt
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev