Re: [keycloak-user] Token exchange: on-behalf-of + downgrade

On 27 Feb 2019, at 18:50, Pedro Igor Silva <psilva(a)redhat.com&gt; wrote: Hi, The token exchange should be the right tool. Are you trying to downgrade scopes or just remove the client roles that are not related with svc-2 ? Regards. Pedro Igor On Tue, Feb 26, 2019 at 5:33 AM Alexey Titorenko <titorenko(a)dtg.technology&gt; wrote: Hello guys. I would like to ask you help with the following. I’m currently looking at on-behalf-of scenario with Keycloak. In this case we have ‘web app’ calling ’svc-1’, which in turn calls another service ‘svc-2’. That is, we have: web —> svc-1 —> svc-2. The idea is to let svc-2 know who is actual initiator of the call chain (end-to-end identity propagation). The question is about how to do that with Keycloak. First, in order to propagate caller identity we could exchange tokens in ‘svc-1’. In this case we can have correct audience and, thus, control token usage. Second, we need is to remove any excessive permissions (client roles) that are not related to ‘svc-2’ call in order to reduce potential harm in case this token is intercepted by someone. And if I know how to exchange tokens, I cannot find how to downgrade the token during the exchange. As I see in documentation, ‘scope’ parameter is not supported for token exchange. So, my questions are: Is token exchange a right tool for this task? Is it possible to downgrade exchanged token? And how, if so? Thank you, Alexey _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>