I've found out that the problem was in the audience validation of my API. The access token I get from keycloak when I authenticate my confidential client has always aud = confidential_client_id How am I supposed to get a token with a difference audience value? I tried specifying in the POST request to the token endpoint resource = client_id_of_the_api which works with ADFS 2016, but seems to be ignored by Keycloak. Thanks, Paolo -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces@lists. jboss.org> On Behalf Of Paolo Tedesco Sent: Friday, 23 March, 2018 11:11 To: keycloak-user(a)lists.jboss.org Subject: [keycloak-user] Authenticating to a client with another client's service account Hi all, I have registered two clients in my Keycloak, one is an API (ID = client_api) and another is a confidential client (ID = confidential_client), which is a standalone application that should access the API with its own credentials. I've set the access type of both API and application to "confidential". >From the application, I obtain a token with a POST to https://keycloak-server/auth/realms/master/protocol/openid-connect/token with these parameters: client_id = confidential_client client_secret = <confidential client secret> grant_type = client_credentials >From this, I obtain a token, that looks like this: { "access_token": "eyJhbG...Z0qmQ" // other stuff } Then, I try to call my API with an authentication header with Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step) However, this does not seem to work, and the API acts like the user is not authenticated. Any idea of what I'm doing wrong? Thanks, Paolo _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

This is something we are not doing correctly where access tokens are always created with the client as the audience and not the resource server / target service. Marek can give more insights about this but I think this should be fixed by the work he is doing around Client Scopes. Another alternative is use token exchange [1]. [1] http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-ex change Regards. Pedro Igor On Fri, Mar 23, 2018 at 12:53 PM, Paolo Tedesco <Paolo.Tedesco(a)cern.ch&gt; wrote: > I've found out that the problem was in the audience validation of my API. > The access token I get from keycloak when I authenticate my > confidential client has always > > aud = confidential_client_id > > How am I supposed to get a token with a difference audience value? > I tried specifying in the POST request to the token endpoint > > resource = client_id_of_the_api > > which works with ADFS 2016, but seems to be ignored by Keycloak. > > Thanks, > Paolo > > -----Original Message----- > From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces@lists. > jboss.org> On Behalf Of Paolo Tedesco > Sent: Friday, 23 March, 2018 11:11 > To: keycloak-user(a)lists.jboss.org > Subject: [keycloak-user] Authenticating to a client with another > client's service account > > Hi all, > > I have registered two clients in my Keycloak, one is an API (ID = > client_api) and another is a confidential client (ID = > confidential_client), which is a standalone application that should > access the API with its own credentials. > I've set the access type of both API and application to "confidential". > > >From the application, I obtain a token with a POST to > https://keycloak-server/auth/realms/master/protocol/openid-connect/to > ken > with these parameters: > > client_id = confidential_client > client_secret = <confidential client secret> grant_type = > client_credentials > > >From this, I obtain a token, that looks like this: > { > "access_token": "eyJhbG...Z0qmQ" > // other stuff > } > > Then, I try to call my API with an authentication header with > > Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step) > > However, this does not seem to work, and the API acts like the user > is not authenticated. > Any idea of what I'm doing wrong? > > Thanks, > Paolo > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi Marek and Pedro, Thanks for your answers, I will either try token exchange or just turn off audience verification for the time being, and try to assign roles to the client for access control. I think that "resource" is ADFS specific, I could not find mentions of it other than in ADFS documentation. What do you mean when you say that you will support audience through the scope parameter? That the token request should contain something like "scope = client ID of the target resource"?

Thanks, Paolo -----Original Message----- From: Marek Posolda <mposolda(a)redhat.com&gt; Sent: Monday, 26 March, 2018 20:35 To: Pedro Igor Silva <psilva(a)redhat.com>; Paolo Tedesco < Paolo.Tedesco(a)cern.ch&gt; Cc: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Authenticating to a client with another client's service account Yes, as Pedro mentioned, I hope that better audience support will be available in Keycloak master in next few weeks (or months), so in some next beta, it should be available. JIRA is https://issues.jboss.org/browse/KEYCLOAK-6638 . Question: This parameter "resource=client_id_of_the_api" seems to be ADFS specific parameter? Or is it mentioned in some specification? We plan to support better audience support through "scope" parameter or have it available by default (depends on where admin defines protocolMapper for audience). Thanks, Marek On 26/03/18 14:01, Pedro Igor Silva wrote: > This is something we are not doing correctly where access tokens are > always created with the client as the audience and not the resource > server / target service. > > Marek can give more insights about this but I think this should be > fixed by the work he is doing around Client Scopes. > > Another alternative is use token exchange [1]. > > [1] > http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-ex > change > > Regards. > Pedro Igor > > On Fri, Mar 23, 2018 at 12:53 PM, Paolo Tedesco > <Paolo.Tedesco(a)cern.ch&gt; > wrote: > >> I've found out that the problem was in the audience validation of my API. >> The access token I get from keycloak when I authenticate my >> confidential client has always >> >> aud = confidential_client_id >> >> How am I supposed to get a token with a difference audience value? >> I tried specifying in the POST request to the token endpoint >> >> resource = client_id_of_the_api >> >> which works with ADFS 2016, but seems to be ignored by Keycloak. >> >> Thanks, >> Paolo >> >> -----Original Message----- >> From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces@lists. >> jboss.org> On Behalf Of Paolo Tedesco >> Sent: Friday, 23 March, 2018 11:11 >> To: keycloak-user(a)lists.jboss.org >> Subject: [keycloak-user] Authenticating to a client with another >> client's service account >> >> Hi all, >> >> I have registered two clients in my Keycloak, one is an API (ID = >> client_api) and another is a confidential client (ID = >> confidential_client), which is a standalone application that should >> access the API with its own credentials. >> I've set the access type of both API and application to "confidential". >> >> >From the application, I obtain a token with a POST to >> https://keycloak-server/auth/realms/master/protocol/openid-connect/to >> ken >> with these parameters: >> >> client_id = confidential_client >> client_secret = <confidential client secret> grant_type = >> client_credentials >> >> >From this, I obtain a token, that looks like this: >> { >> "access_token": "eyJhbG...Z0qmQ" >> // other stuff >> } >> >> Then, I try to call my API with an authentication header with >> >> Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step) >> >> However, this does not seem to work, and the API acts like the user >> is not authenticated. >> Any idea of what I'm doing wrong? >> >> Thanks, >> Paolo >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user