Re: [keycloak-user] KeyCloak Client Credentials pass http header values
Hi,
You could try a custom authenticator (maybe extending some of the built-in
authenticators you are using) in order to set notes into the authentication
session.
However, it seems to me you are relying on sensitive information sent
through HTTP headers that can be easily manipulated.
Regards.
Pedro Igor
On Fri, Sep 6, 2019 at 5:52 PM Rohit Chowdhary <rohit.chowdhary(a)gmail.com>
wrote:
I want to connect two applications ClientApp, ResourceApp securely
on
behalf of a user via KeyCloak as the authorization server. User does a
login into ClientApp and then ClientApp calls REST APIs on Resource App in
the background. I have setup KeyCloak adjacent to ResourceApp and
configured ClientApp as a KeyCloak client. ClientApp gets the AccessToken
and then calls APIs on the ResourceApp. In this Auth process, I want to
communicate some information from ClientApp to ResourceApp via HTTP
Headers, so that KeyCloak can add them into the JWT Access Token. (The
reason I am trying this approach is that I will not need any user
maintenance within the KeyCloak and ResourceApp).
Questions: Am I trying to do something that is not possible or allowed in
such security setup? Is there a better way to achieve without having to
maintain Users and Roles in the KeyCloak server? I want KeyCloak to be just
a mechanism to offload token generation and as a security mediator. Or Can
I pass the header data from Auth request into the JWT token?
I looked into the Client Mappers of KeyCloak, but since there is a redirect
or forward within KeyCloak from Auth request to Get Token, the header
values are getting lost.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user