7:08 a.m.
Nice ! Please, feel free to send a PR with improvements to docs.
Regarding the app1 being able to exchange any token on R2 did you try to
write a JS policy with your access constraints to the token-exchange
permission ?
On Fri, Mar 8, 2019 at 8:14 AM triton oidc <triton.oidc(a)gmail.com> wrote:
Hi,
I tried giving the app1 the credentials of the R1_for_R2 (the client used
for the federation on the IDP2)
and i could exchange the token from the app1 to a token on the app2 !
However that's far from what we wish
the app1 has now the power to exchange any token on R2 configured with the
Client R1_for_R2, so i can have only one application on each side with
token exchange activated without security issues.
If it makes sense, i can propose an update on the documentation, specifying
the application needs the credentials of the second IDP to do the exchange.
Cheers
On Wed, Mar 6, 2019 at 4:49 PM triton oidc <triton.oidc(a)gmail.com> wrote:
> Hi Keycloak masters
>
> I've done the token exchange in the same realm,
> here is a link with my scenario
>
>
https://www.websequencediagrams.com/?lz=dGl0bGUgRGV0YWlsZWQgdG9rZW4gZXhja...
>
> I'm trying to do the same cross realm following this documentation
>
>
https://www.keycloak.org/docs/latest/securing_apps/index.html#external-to...
>
> Here is a link to my draft
>
>
https://www.websequencediagrams.com/?lz=dGl0bGUgRGV0YWlsZWQgdG9rZW4gZXhja...
>
> However i don't know which client credentials put in the query.
> my app only knows it's own credentials (*app1_clientID* and
> *app1_clientSecret*)
> and wants to get an access token on the Realm2 (R2) on the clientID "
> *secured_R2*"
> The broker on the IDP2 is using the clientID "*R1_for_R2*" on the IDP1
> The alias of the broker is "*R2_for_R1_users*"
>
> curl -X POST \
> -d "client_id=*app1_clientID*" \
> -d "client_secret=*app1_clientSecret*" \
> --data-urlencode
> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
> -d "subject_token="*my_token_obtained_using_app1_clientID*" \
> -d "subject_issuer=*R2_for_R1_users*" \
> --data-urlencode
> "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
> -d "audience=*secured_R2*" \
> http://*IDP2*/auth/realms/*R2*/protocol/openid-connect/token
>
> I got an invalid credentials, which makes sense because the IDP2 can't
> verify the credentials of the App1 linked to the realm1 (IDP1)
> I know i missed something.
> If someone could give me a hint
>
> Once i understand, i'm willing to propose an update on the documentation
>
> Thanks for any help
>
> Amaury
>
>
>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user