10:40 a.m.
Hi,
I'm experimenting with Keycloak 3.4.1 CR1.
I'm executing a client_credentials flow with a client to get authorized at
a resource server. When authorizing at the resource server,
I'm using the JWT 'sub' claim to identify the subject accessing the
resource server.
Apparently, in this flow the 'sub' claim is getting an ID that I'm not able
to relate to any metadata of the client. I would have expected
the client_id be used as 'sub' but it is not.
Here is a partial access token content I got for client credentials
(client id is used in aud and azp fields below, and not 'sub'):
{
"jti": "417742bc-b374-4457-955b-3a5c5cea1d02",
"exp": 1512377520,
"nbf": 0,
"iat": 1512377220,
"iss": "http://localhost:8081/auth/realms/myrealm",
"aud": "5d8448f9-d7d8-41f9-b0cc-3f8772fca62f",
"sub": "a82751a5-3635-4cd3-941e-e0f38367ea73",
"typ": "Bearer",
"azp": "5d8448f9-d7d8-41f9-b0cc-3f8772fca62f",
...
}
So I have these questions:
- Is there a reason why 'sub' is not 'client_id' in client credentials
flow? Note, that in authorization_code flow the 'sub' claim gets the ID of
the user that I
also see in the Admin Console, as expected.
- If they have to be different, how could I query what 'sub' value will
belong to a client_id without requesting a token on behalf of the client?
For example, can it be somehow retrieved from Admin REST API? (I didn't
find it in the client schema either)
Best Regards,
Balazs Kovacs
11:02 a.m.
Hi,
That’s probably because Keycloak uses service accounts internally to control the role
mapping of clients with the client credentials grant. A service account is kind of a
hidden user, so you get the sub of that service account and not of the client itself.
Not sure this is meant to stay like that, I could imagine also putting the client ID in
there instead...
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY |
www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.-Ing. Rainer
Kallenbach, Michael Hahn
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Balazs Kovacs
Sent: Montag, 4. Dezember 2017 10:40
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] JWT 'sub' claim in client credentials flow
Hi,
I'm experimenting with Keycloak 3.4.1 CR1.
I'm executing a client_credentials flow with a client to get authorized at a resource
server. When authorizing at the resource server, I'm using the JWT 'sub' claim
to identify the subject accessing the resource server.
Apparently, in this flow the 'sub' claim is getting an ID that I'm not able to
relate to any metadata of the client. I would have expected the client_id be used as
'sub' but it is not.
Here is a partial access token content I got for client credentials (client id is used in
aud and azp fields below, and not 'sub'):
{
"jti": "417742bc-b374-4457-955b-3a5c5cea1d02",
"exp": 1512377520,
"nbf": 0,
"iat": 1512377220,
"iss": "http://localhost:8081/auth/realms/myrealm",
"aud": "5d8448f9-d7d8-41f9-b0cc-3f8772fca62f",
"sub": "a82751a5-3635-4cd3-941e-e0f38367ea73",
"typ": "Bearer",
"azp": "5d8448f9-d7d8-41f9-b0cc-3f8772fca62f",
...
}
So I have these questions:
- Is there a reason why 'sub' is not 'client_id' in client credentials
flow? Note, that in authorization_code flow the 'sub' claim gets the ID of the
user that I also see in the Admin Console, as expected.
- If they have to be different, how could I query what 'sub' value will belong to
a client_id without requesting a token on behalf of the client?
For example, can it be somehow retrieved from Admin REST API? (I didn't find it in
the client schema either)
Best Regards,
Balazs Kovacs
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3:01 p.m.
Hi,
Thank you for the quick response.
Having the service account ID there makes sense. I also managed to find the
API to query the service account belonging to the client, so they are not
hidden.
GET /admin/realms/{realm}/clients/{id}/service-account-user
Br,
Balazs
On Mon, Dec 4, 2017 at 11:02 AM, Schuster Sebastian (INST/ESY1) <
Sebastian.Schuster(a)bosch-si.com> wrote:
Hi,
That’s probably because Keycloak uses service accounts internally to
control the role mapping of clients with the client credentials grant. A
service account is kind of a hidden user, so you get the sub of that
service account and not of the client itself.
Not sure this is meant to stay like that, I could imagine also putting the
client ID in there instead...
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
Sebastian.Schuster(a)bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung:
Dr.-Ing. Rainer Kallenbach, Michael Hahn
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@
lists.jboss.org] On Behalf Of Balazs Kovacs
Sent: Montag, 4. Dezember 2017 10:40
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] JWT 'sub' claim in client credentials flow
Hi,
I'm experimenting with Keycloak 3.4.1 CR1.
I'm executing a client_credentials flow with a client to get authorized at
a resource server. When authorizing at the resource server, I'm using the
JWT 'sub' claim to identify the subject accessing the resource server.
Apparently, in this flow the 'sub' claim is getting an ID that I'm not
able to relate to any metadata of the client. I would have expected the
client_id be used as 'sub' but it is not.
Here is a partial access token content I got for client credentials
(client id is used in aud and azp fields below, and not 'sub'):
{
"jti": "417742bc-b374-4457-955b-3a5c5cea1d02",
"exp": 1512377520,
"nbf": 0,
"iat": 1512377220,
"iss": "http://localhost:8081/auth/realms/myrealm",
"aud": "5d8448f9-d7d8-41f9-b0cc-3f8772fca62f",
"sub": "a82751a5-3635-4cd3-941e-e0f38367ea73",
"typ": "Bearer",
"azp": "5d8448f9-d7d8-41f9-b0cc-3f8772fca62f",
...
}
So I have these questions:
- Is there a reason why 'sub' is not 'client_id' in client credentials
flow? Note, that in authorization_code flow the 'sub' claim gets the ID of
the user that I also see in the Admin Console, as expected.
- If they have to be different, how could I query what 'sub' value will
belong to a client_id without requesting a token on behalf of the client?
For example, can it be somehow retrieved from Admin REST API? (I didn't
find it in the client schema either)
Best Regards,
Balazs Kovacs
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2608
days inactive
2608
days old
2 comments
2 participants
participants (2)
-
Balazs Kovacs -
Schuster Sebastian (INST/ESY1)