1:34 p.m.
Yes, as Pedro mentioned, I hope that better audience support will be
available in Keycloak master in next few weeks (or months), so in some
next beta, it should be available. JIRA is
https://issues.jboss.org/browse/KEYCLOAK-6638 .
Question: This parameter "resource=client_id_of_the_api" seems to be
ADFS specific parameter? Or is it mentioned in some specification? We
plan to support better audience support through "scope" parameter or
have it available by default (depends on where admin defines
protocolMapper for audience).
Thanks,
Marek
On 26/03/18 14:01, Pedro Igor Silva wrote:
This is something we are not doing correctly where access tokens are
always
created with the client as the audience and not the resource server /
target service.
Marek can give more insights about this but I think this should be fixed by
the work he is doing around Client Scopes.
Another alternative is use token exchange [1].
[1]
http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange
Regards.
Pedro Igor
On Fri, Mar 23, 2018 at 12:53 PM, Paolo Tedesco <Paolo.Tedesco(a)cern.ch>
wrote:
> I've found out that the problem was in the audience validation of my API.
> The access token I get from keycloak when I authenticate my confidential
> client has always
>
> aud = confidential_client_id
>
> How am I supposed to get a token with a difference audience value?
> I tried specifying in the POST request to the token endpoint
>
> resource = client_id_of_the_api
>
> which works with ADFS 2016, but seems to be ignored by Keycloak.
>
> Thanks,
> Paolo
>
> -----Original Message-----
> From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces@lists.
> jboss.org> On Behalf Of Paolo Tedesco
> Sent: Friday, 23 March, 2018 11:11
> To: keycloak-user(a)lists.jboss.org
> Subject: [keycloak-user] Authenticating to a client with another client's
> service account
>
> Hi all,
>
> I have registered two clients in my Keycloak, one is an API (ID =
> client_api) and another is a confidential client (ID =
> confidential_client), which is a standalone application that should access
> the API with its own credentials.
> I've set the access type of both API and application to
"confidential".
>
> >From the application, I obtain a token with a POST to
> https://keycloak-server/auth/realms/master/protocol/openid-connect/token
> with these parameters:
>
> client_id = confidential_client
> client_secret = <confidential client secret> grant_type =
> client_credentials
>
> >From this, I obtain a token, that looks like this:
> {
> "access_token": "eyJhbG...Z0qmQ"
> // other stuff
> }
>
> Then, I try to call my API with an authentication header with
>
> Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step)
>
> However, this does not seem to work, and the API acts like the user is not
> authenticated.
> Any idea of what I'm doing wrong?
>
> Thanks,
> Paolo
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user