Thanks Bill - I think the below info would be useful in case we decide to go for remote
validation. But if we go for local validation of the tokens then we still have a problem
as we typically verify signature, issuer, expiry time and even audience. The issue is
that "aud" will have the clientid of the first app and hence it will fail
validation at the second and third apps. To address that issue, I am wondering if KC can
be enhanced to group a set of client applications and if any of the apps within that group
communicates with KC, then KC puts in all the clientids of all the apps in the group in
the "aud" parameter of the tokens? That would address the "aud"
validation with the second and third apps. Is that something that can be done in KC?
Thanks,
Raghu
Sent from my iPhone
On Apr 13, 2015, at 9:37 AM, Bill Burke <bburke(a)redhat.com>
wrote:
Our tokens are JsonWebSignatures. If the other applications have the
public key of the realm, they can verify those signatures. Keycloak
also has a remote validation URL which you can send a token to.
/auth/realms/{realm}/protocol/openid-connect/validate?access_token={token}
> On 4/12/2015 6:58 AM, Raghu Prabhala wrote:
> We have a use case similar to the one listed in the below url -
> basically once a user is authenticated, a client application after
> receiving the tokens from the Provider, shares the tokens with a few
> other applications that are in a group. The other client applications
> should be able to verify the tokens without requiring any more user
> interaction. In the OIDC world, unfortunately, the aud parameter has the
> clientid of the first app only and it will fail validation by the other
> apps. So, is there any way this can be handled in KC?
>
>
https://developers.google.com/identity/protocols/CrossClientAuth
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev