Re: [keycloak-dev] token exchange
On Mon, Aug 14, 2017 at 10:42 AM, Bill Burke <bburke(a)redhat.com> wrote:
CLI tool I wrote doesn't allow token exchange, yet, but
you're correct,
I'm thinking of using it to perform token exchange.
Our ID tokens are not signed right now. Also you still need client to
client exchange so that you can "downgrade" a token to talk to an untrusted
service. I've also added new fine-grain permissions "exchange-from" and
"exchange-to".
For example, lets say Client A gets token and invokes on service B which
needs to invoke on untrusted service C.
When Client A gets token to invoke Service B, how the "aud" claim in the
token looks like for you ? Is it referencing Service B ?
Asking because I noticed that our access tokens are being issued using the
authenticated client in "aud" claim where it should contain (or in addition
to other audiences) the target service. A typical scenario for bearer token
authentication. Also, our BearerTokenRequestAuthenticator does not seem to
validate audience.
Considering the flow you described, Client A would need a token with
Service B as a valid audience in order to be able to start the flow.