I've found out that the problem was in the audience validation of my API.
The access token I get from keycloak when I authenticate my confidential client has
always
aud = confidential_client_id
How am I supposed to get a token with a difference audience value?
I tried specifying in the POST request to the token endpoint
resource = client_id_of_the_api
which works with ADFS 2016, but seems to be ignored by Keycloak.
Thanks,
Paolo
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org>
On Behalf Of Paolo Tedesco
Sent: Friday, 23 March, 2018 11:11
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Authenticating to a client with another client's service
account
Hi all,
I have registered two clients in my Keycloak, one is an API (ID = client_api) and another
is a confidential client (ID = confidential_client), which is a standalone application
that should access the API with its own credentials.
I've set the access type of both API and application to "confidential".
From the application, I obtain a token with a POST to
https://keycloak-server/auth/realms/master/protocol/openid-connect/token with these
parameters:
client_id = confidential_client
client_secret = <confidential client secret> grant_type = client_credentials
From this, I obtain a token, that looks like this:
{
"access_token": "eyJhbG...Z0qmQ"
// other stuff
}
Then, I try to call my API with an authentication header with
Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step)
However, this does not seem to work, and the API acts like the user is not authenticated.
Any idea of what I'm doing wrong?
Thanks,
Paolo
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user