8:36 a.m.
Hi
I'd like to talk with you about
https://github.com/keycloak/keycloak/pull/4910
and
https://issues.jboss.org/browse/KEYCLOAK-6092
we have CRITICAL security issue that target service is able to receive
access token with roles to other services so it is able to reuse it.
We need to implement feature thet makes it possible to get access token
with roles per target service(client in keycloak)
Out idea is to use client roles that requires scope.
But in order to get all roles assigned from specific target service we need
to chance current behaviour.
At the moment there is possibility to get specific role using scope
parameter
<clinetId>/<role-name>
but we need
<clientId>/.*
Have you got any idea to make it possible ASAP?
We do not want to make any break changes...
maybe we use wildcard instead od regexp like <clientId>/* ?
Just let me know how to do it in order to be compatible with your future
plans and make it possible to merge...
Regards
Daniel
5:03 a.m.
New subject: how retrievie access token only with roles for specific target service(keycloak client)?
Hi
Are there any plans to implement this feature?
Anyone?
2018-01-18 15:36 GMT+01:00 Daniel Charczyński <danielcharczynski(a)o2.pl>:
Hi
I'd like to talk with you about
https://github.com/keycloak/keycloak/pull/4910
and
https://issues.jboss.org/browse/KEYCLOAK-6092
we have CRITICAL security issue that target service is able to receive
access token with roles to other services so it is able to reuse it.
We need to implement feature thet makes it possible to get access token
with roles per target service(client in keycloak)
Out idea is to use client roles that requires scope.
But in order to get all roles assigned from specific target service we
need to chance current behaviour.
At the moment there is possibility to get specific role using scope
parameter
<clinetId>/<role-name>
but we need
<clientId>/.*
Have you got any idea to make it possible ASAP?
We do not want to make any break changes...
maybe we use wildcard instead od regexp like <clientId>/* ?
Just let me know how to do it in order to be compatible with your future
plans and make it possible to merge...
Regards
Daniel
5:34 a.m.
New subject: how retrievie access token only with roles for specific target service(keycloak client)?
Here are more details about use case
backgroud:
we are using bearer access tokens in case of authorization between services
this is JWT signed by keycloak and contains all roles assignet to this
specific client
we are using "service account" in case of authorization service to service
eg:
if we have following screnario
service A ---> service B
|
|------------- > service C
service A receives JWT with roles to service B and C
If Service A comunicates with B, B is able to reuse this token and
communicate with C as service A
Token that B receives from A is valid and there is possibility to reuse it
That is CRITICAL security issue in my oppinion.
Out plan is to use Roles that requires scope parameter and it is OK for us
but at the moment there is only possibility to query for specific Role but
there is NO possibility to ask keycloak for JWT in with all roles but only
in service B context.
Of course we can use composite roles but this is workaround that requeires
extra maintanence - we do not want to do that in that way
We just need support scope parameter like
*scope = serviceB/**
Regards
Daniel Charczyński
1:12 p.m.
New subject: how retrievie access token only with roles for specific target service(keycloak client)?
Looking at your PR again I see I made a quick conclusion last time as I
thought you where talking about scope query parameter in OIDC, not about
client scopes. For clients scopes it would make sense to have a button that
allows full scope for a specific client. At the moment we have full scope
for everything so that would be a sensible addition.
Could you drop an email about this to the keycloak-dev mailing list? That's
where implementation/contributions discussions belong. I'd like to get the
opinion from the rest of the team, but I'm on board with the idea.
On 31 January 2018 at 12:34, Daniel Charczyński <danielcharczynski(a)o2.pl>
wrote:
Here are more details about use case
backgroud:
we are using bearer access tokens in case of authorization between services
this is JWT signed by keycloak and contains all roles assignet to this
specific client
we are using "service account" in case of authorization service to service
eg:
if we have following screnario
service A ---> service B
|
|------------- > service C
service A receives JWT with roles to service B and C
If Service A comunicates with B, B is able to reuse this token and
communicate with C as service A
Token that B receives from A is valid and there is possibility to reuse it
That is CRITICAL security issue in my oppinion.
Out plan is to use Roles that requires scope parameter and it is OK for us
but at the moment there is only possibility to query for specific Role but
there is NO possibility to ask keycloak for JWT in with all roles but only
in service B context.
Of course we can use composite roles but this is workaround that requeires
extra maintanence - we do not want to do that in that way
We just need support scope parameter like
*scope = serviceB/**
Regards
Daniel Charczyński
2522
days inactive
2536
days old
3 comments
2 participants
participants (2)
-
Daniel Charczyński -
Stian Thorgersen