7:01 a.m.
This is something we are not doing correctly where access tokens are always
created with the client as the audience and not the resource server /
target service.
Marek can give more insights about this but I think this should be fixed by
the work he is doing around Client Scopes.
Another alternative is use token exchange [1].
[1]
http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange
Regards.
Pedro Igor
On Fri, Mar 23, 2018 at 12:53 PM, Paolo Tedesco <Paolo.Tedesco(a)cern.ch>
wrote:
I've found out that the problem was in the audience validation of
my API.
The access token I get from keycloak when I authenticate my confidential
client has always
aud = confidential_client_id
How am I supposed to get a token with a difference audience value?
I tried specifying in the POST request to the token endpoint
resource = client_id_of_the_api
which works with ADFS 2016, but seems to be ignored by Keycloak.
Thanks,
Paolo
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces@lists.
jboss.org> On Behalf Of Paolo Tedesco
Sent: Friday, 23 March, 2018 11:11
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Authenticating to a client with another client's
service account
Hi all,
I have registered two clients in my Keycloak, one is an API (ID =
client_api) and another is a confidential client (ID =
confidential_client), which is a standalone application that should access
the API with its own credentials.
I've set the access type of both API and application to "confidential".
>From the application, I obtain a token with a POST to
https://keycloak-server/auth/realms/master/protocol/openid-connect/token
with these parameters:
client_id = confidential_client
client_secret = <confidential client secret> grant_type =
client_credentials
>From this, I obtain a token, that looks like this:
{
"access_token": "eyJhbG...Z0qmQ"
// other stuff
}
Then, I try to call my API with an authentication header with
Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step)
However, this does not seem to work, and the API acts like the user is not
authenticated.
Any idea of what I'm doing wrong?
Thanks,
Paolo
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user