we do not want to exchange service A token to service B token, or any other
we want to get service A token but with restricted set of roles to roles
assigned just from service B (without service C roles)
"give me my token for communication with service B"
"give me my token for communication with service C"
2018-02-05 10:54 GMT+01:00 Stian Thorgersen <sthorger(a)redhat.com>:
Did you look at the token exchance service?
On 5 February 2018 at 10:14, Daniel Charczyński <danielcharczynski(a)o2.pl>
> Hi everyone
> I think that there is an important need to implemment feature that makes
> possible getting access token according to target service
> we are using bearer access tokens in case of authorization between
> this is JWT signed by keycloak and contains all roles assigned to this
> specific client
> we are using "service account" in case of authorization service to service
> if we have following screnario
> service A ---> service B
> |------------- > service C
> service A receives JWT with roles to service B and C
> If Service A comunicates with B, B is able to reuse this token and
> communicate with C as service A
> Token that B receives from A is valid and there is possibility to reuse it
> That is CRITICAL security issue in my oppinion.
> Out plan is to use Roles that requires scope parameter and it is OK for us
> but at the moment there is only possibility to query for specific Role but
> there is NO possibility to ask keycloak for JWT with all roles but only in
> service B context.
> Of course we can use composite roles but this is workaround that requeires
> extra maintanence - we do not want to do that in that way
> We just need support scope parameter like
> *scope = serviceB/**
> We created
> * https://github.com/keycloak/keycloak/pull/4910
- closed as duplicate *
> Maybe our PR is to much flexibe - we build our solution using regex
> There is possibillity to use wildcard, anything
> Daniel Charczyński
> keycloak-dev mailing list