Hello guys.
I would like to ask you help with the following. I’m currently looking at on-behalf-of
scenario with Keycloak. In this case we have ‘web app’ calling ’svc-1’, which in turn
calls another service ‘svc-2’. That is, we have: web —> svc-1 —> svc-2.
The idea is to let svc-2 know who is actual initiator of the call chain (end-to-end
identity propagation). The question is about how to do that with Keycloak.
First, in order to propagate caller identity we could exchange tokens in ‘svc-1’. In this
case we can have correct audience and, thus, control token usage. Second, we need is to
remove any excessive permissions (client roles) that are not related to ‘svc-2’ call in
order to reduce potential harm in case this token is intercepted by someone.
And if I know how to exchange tokens, I cannot find how to downgrade the token during the
exchange. As I see in documentation, ‘scope’ parameter is not supported for token
exchange.
So, my questions are:
Is token exchange a right tool for this task?
Is it possible to downgrade exchanged token? And how, if so?
Thank you,
Alexey