2:58 a.m.
Hello group,
I have the following scenario:
1) A SSO authenticated User1 calls Service1 (confidential client).
2) Service1 extracts access token.
3) Service1 performs a remote call to Service2 passing the access token
along.
4) Service2 needs to do something in the name of User1 in Keycloak (e.g.
set a user attribute, or create a new users)
5) Service2 uses org.keycloak.admin.client.Keycloak to communicate with
Keycloak
to perform the requested operation.
I want to be able to propagate the access token in
Service to service calls and use the 'org.keycloak.admin.client.Keycloak'
client
with the provided access token to perform an operation in Keycloak.
Currently 'org.keycloak.admin.client.Keycloak' only supports client
credentials and / or password,
which it uses to get an refresh token to renew a potentially timed out
access token.
As a PoC I slightly adjusted the Keycloak client to allow for externally
provided access tokens:
https://gist.github.com/thomasdarimont/d82c4478df997556a9d16afb79787459
I think the Keycloak Client should also support "call once" scenarios with
a provided access token out of the box.
Shall I create a JIRA for this?
Cheers,
Thomas
7:42 a.m.
+1 to have support for scenario like this.
One small disadvantage of your approach is, that service2 will use
accessToken, which was issued to service1. It seems that more proper way
might be to have service on Keycloak side, that will allow service2 to
exchange the service1 token for it's own token. However that will likely
require much more work though...
Marek
On 08/08/16 09:58, Thomas Darimont wrote:
Hello group,
I have the following scenario:
1) A SSO authenticated User1 calls Service1 (confidential client).
2) Service1 extracts access token.
3) Service1 performs a remote call to Service2 passing the access
token along.
4) Service2 needs to do something in the name of User1 in Keycloak
(e.g. set a user attribute, or create a new users)
5) Service2 uses org.keycloak.admin.client.Keycloak to communicate
with Keycloak
to perform the requested operation.
I want to be able to propagate the access token in
Service to service calls and use the
'org.keycloak.admin.client.Keycloak' client
with the provided access token to perform an operation in Keycloak.
Currently 'org.keycloak.admin.client.Keycloak' only supports client
credentials and / or password,
which it uses to get an refresh token to renew a potentially timed out
access token.
As a PoC I slightly adjusted the Keycloak client to allow for
externally provided access tokens:
https://gist.github.com/thomasdarimont/d82c4478df997556a9d16afb79787459
I think the Keycloak Client should also support "call once" scenarios
with a provided access token out of the box.
Shall I create a JIRA for this?
Cheers,
Thomas
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
7:52 a.m.
Thanks Marek,
Service2 is more or less a service proxy which performs additional authz
checks. So service1 can only access the oidc parts of keycloak but service2
has broader access...
Benefit is that the action in Keycloak is performed with the Identity
information of the initiating service1 user which is then logged
accordingly in Keycloak.
Is this token exchange backed by a spec?
May I create a JIRA and a PR for my little extension?
Cheers,
Thomas
Marek Posolda <mposolda(a)redhat.com> schrieb am Mo., 8. Aug. 2016, 14:42:
+1 to have support for scenario like this.
One small disadvantage of your approach is, that service2 will use
accessToken, which was issued to service1. It seems that more proper way
might be to have service on Keycloak side, that will allow service2 to
exchange the service1 token for it's own token. However that will likely
require much more work though...
Marek
On 08/08/16 09:58, Thomas Darimont wrote:
Hello group,
I have the following scenario:
1) A SSO authenticated User1 calls Service1 (confidential client).
2) Service1 extracts access token.
3) Service1 performs a remote call to Service2 passing the access token
along.
4) Service2 needs to do something in the name of User1 in Keycloak (e.g.
set a user attribute, or create a new users)
5) Service2 uses org.keycloak.admin.client.Keycloak to communicate with
Keycloak
to perform the requested operation.
I want to be able to propagate the access token in
Service to service calls and use the 'org.keycloak.admin.client.Keycloak'
client
with the provided access token to perform an operation in Keycloak.
Currently 'org.keycloak.admin.client.Keycloak' only supports client
credentials and / or password,
which it uses to get an refresh token to renew a potentially timed out
access token.
As a PoC I slightly adjusted the Keycloak client to allow for externally
provided access tokens:
https://gist.github.com/thomasdarimont/d82c4478df997556a9d16afb79787459
I think the Keycloak Client should also support "call once" scenarios with
a provided access token out of the box.
Shall I create a JIRA for this?
Cheers,
Thomas
_______________________________________________
keycloak-dev mailing
listkeycloak-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
7:24 a.m.
There is this specs, but not sure if it's useful exactly for the case
like this : https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-05
+1 from me for JIRA and PR for your little extension for now.
Marek
On 08/08/16 14:52, Thomas Darimont wrote:
Thanks Marek,
Service2 is more or less a service proxy which performs additional
authz checks. So service1 can only access the oidc parts of keycloak
but service2 has broader access...
Benefit is that the action in Keycloak is performed with the Identity
information of the initiating service1 user which is then logged
accordingly in Keycloak.
Is this token exchange backed by a spec?
May I create a JIRA and a PR for my little extension?
Cheers,
Thomas
Marek Posolda <mposolda(a)redhat.com <mailto:mposolda@redhat.com>>
schrieb am Mo., 8. Aug. 2016, 14:42:
+1 to have support for scenario like this.
One small disadvantage of your approach is, that service2 will use
accessToken, which was issued to service1. It seems that more
proper way might be to have service on Keycloak side, that will
allow service2 to exchange the service1 token for it's own token.
However that will likely require much more work though...
Marek
On 08/08/16 09:58, Thomas Darimont wrote:
> Hello group,
>
> I have the following scenario:
> 1) A SSO authenticated User1 calls Service1 (confidential client).
> 2) Service1 extracts access token.
> 3) Service1 performs a remote call to Service2 passing the access
> token along.
> 4) Service2 needs to do something in the name of User1 in
> Keycloak (e.g. set a user attribute, or create a new users)
> 5) Service2 uses org.keycloak.admin.client.Keycloak to
> communicate with Keycloak
> to perform the requested operation.
>
> I want to be able to propagate the access token in
> Service to service calls and use the
> 'org.keycloak.admin.client.Keycloak' client
> with the provided access token to perform an operation in Keycloak.
>
> Currently 'org.keycloak.admin.client.Keycloak' only supports
> client credentials and / or password,
> which it uses to get an refresh token to renew a potentially
> timed out access token.
>
> As a PoC I slightly adjusted the Keycloak client to allow for
> externally provided access tokens:
> https://gist.github.com/thomasdarimont/d82c4478df997556a9d16afb79787459
>
> I think the Keycloak Client should also support "call once"
> scenarios with a provided access token out of the box.
>
> Shall I create a JIRA for this?
>
> Cheers,
> Thomas
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
3501
days inactive
3502
days old
3 comments
2 participants
participants (2)
-
Marek Posolda -
Thomas Darimont