8:01 a.m.
Hi,
Thank you for the quick response.
Having the service account ID there makes sense. I also managed to find the
API to query the service account belonging to the client, so they are not
hidden.
GET /admin/realms/{realm}/clients/{id}/service-account-user
Br,
Balazs
On Mon, Dec 4, 2017 at 11:02 AM, Schuster Sebastian (INST/ESY1) <
Sebastian.Schuster(a)bosch-si.com> wrote:
Hi,
That’s probably because Keycloak uses service accounts internally to
control the role mapping of clients with the client credentials grant. A
service account is kind of a hidden user, so you get the sub of that
service account and not of the client itself.
Not sure this is meant to stay like that, I could imagine also putting the
client ID in there instead...
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
Sebastian.Schuster(a)bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung:
Dr.-Ing. Rainer Kallenbach, Michael Hahn
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@
lists.jboss.org] On Behalf Of Balazs Kovacs
Sent: Montag, 4. Dezember 2017 10:40
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] JWT 'sub' claim in client credentials flow
Hi,
I'm experimenting with Keycloak 3.4.1 CR1.
I'm executing a client_credentials flow with a client to get authorized at
a resource server. When authorizing at the resource server, I'm using the
JWT 'sub' claim to identify the subject accessing the resource server.
Apparently, in this flow the 'sub' claim is getting an ID that I'm not
able to relate to any metadata of the client. I would have expected the
client_id be used as 'sub' but it is not.
Here is a partial access token content I got for client credentials
(client id is used in aud and azp fields below, and not 'sub'):
{
"jti": "417742bc-b374-4457-955b-3a5c5cea1d02",
"exp": 1512377520,
"nbf": 0,
"iat": 1512377220,
"iss": "http://localhost:8081/auth/realms/myrealm",
"aud": "5d8448f9-d7d8-41f9-b0cc-3f8772fca62f",
"sub": "a82751a5-3635-4cd3-941e-e0f38367ea73",
"typ": "Bearer",
"azp": "5d8448f9-d7d8-41f9-b0cc-3f8772fca62f",
...
}
So I have these questions:
- Is there a reason why 'sub' is not 'client_id' in client credentials
flow? Note, that in authorization_code flow the 'sub' claim gets the ID of
the user that I also see in the Admin Console, as expected.
- If they have to be different, how could I query what 'sub' value will
belong to a client_id without requesting a token on behalf of the client?
For example, can it be somehow retrieved from Admin REST API? (I didn't
find it in the client schema either)
Best Regards,
Balazs Kovacs
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user