Did you look at the token exchance service? On 5 February 2018 at 10:14, Daniel Charczyński <danielcharczynski(a)o2.pl&gt; wrote: > Hi everyone > > I think that there is an important need to implemment feature that makes > possible getting access token according to target service > > background: > we are using bearer access tokens in case of authorization between > services > this is JWT signed by keycloak and contains all roles assigned to this > specific client > we are using "service account" in case of authorization service to service > > > eg: > if we have following screnario > > service A ---> service B > | > |------------- > service C > > service A receives JWT with roles to service B and C > > If Service A comunicates with B, B is able to reuse this token and > communicate with C as service A > Token that B receives from A is valid and there is possibility to reuse it > That is CRITICAL security issue in my oppinion. > > Out plan is to use Roles that requires scope parameter and it is OK for us > but at the moment there is only possibility to query for specific Role but > there is NO possibility to ask keycloak for JWT with all roles but only in > service B context. > > Of course we can use composite roles but this is workaround that requeires > extra maintanence - we do not want to do that in that way > > We just need support scope parameter like > > *scope = serviceB/** > > We created > > > > * https://github.com/keycloak/keycloak/pull/4910 > <https://github.com/keycloak/keycloak/pull/4910> - > rejectedandhttps://issues.jboss.org/browse/KEYCLOAK-6092 > <https://issues.jboss.org/browse/KEYCLOAK-6092> - closed as duplicate * > Maybe our PR is to much flexibe - we build our solution using regex > There is possibillity to use wildcard, anything > > Regards > Daniel Charczyński > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev