1:48 p.m.
Hi all,
i'm currently working on Keycloack and its integration in our architecture
witch is composed of several modules.
According to the documentation i plan to
- create a realm (witch is related to my organisation)
- create "clients" for every applications i would like to secure with
keycloak.
I don't want to manage roles at realm level (for organisational and
security reasons). I want to manage roles by client (using eventually a
client template if several modules share the same configuration).
In this mode, i would like to be abble, from a given resource in the
context of an authenticated client (authenticate from the brower
authentification), to retrieve roles for a given remote "client' in order
to male a remote call to its api using the right roles.
i would like to know if it's possible from a given backend client to ask
to Keycloak an "access_token" for an other client using the current
authenticated user (and so its related jwt token).
i plan to use a client authentificator client_assertion_type with the
current user token. Is it the right solution ?
Thks for your reply.
2:49 a.m.
On 21/03/17 19:48, Thibaut.Castaing(a)isocel.info wrote:
Hi all,
i'm currently working on Keycloack and its integration in our architecture
witch is composed of several modules.
According to the documentation i plan to
- create a realm (witch is related to my organisation)
- create "clients" for every applications i would like to secure with
keycloak.
I don't want to manage roles at realm level (for organisational and
security reasons). I want to manage roles by client (using eventually a
client template if several modules share the same configuration).
In this mode, i would like to be abble, from a given resource in the
context of an authenticated client (authenticate from the brower
authentification), to retrieve roles for a given remote "client' in order
to male a remote call to its api using the right roles.
i would like to know if it's possible from a given backend client to ask
to Keycloak an "access_token" for an other client using the current
authenticated user (and so its related jwt token).
Access token for
"client-a" can eventually contain also client roles of
"client-b" . You just need to ensure that "client-a" has either
FullScopeAllowed or it has scopes to roles of "client-b". Scopes can be
defined also per client templates.
Maybe this is easier way to accomplish what you need instead of
exchanging tokens?
i plan to use a client authentificator client_assertion_type with the
current user token. Is it the right solution ?
The JWT client authenticator, which
we provide OOTB, is able to
authenticate client against Keycloak server with the short-lived JWT
token created by the client adapter itself. There is no support for
authenticate (exchange) based on other access token of authenticated user.
If you really need exchanging tokens, you can maybe implement your own
REST endpoint for it. We have some example for it in the
keycloak-examples distribution in directory "providers". You can take a
look at tokenIntrospection endpoint for inspiration how to verify
existing token etc. Also you can maybe take a look at our authorization
stuff, it can maybe also have something, which can help you (I am not
deeply familiar with it, so not sure).
Marek
Thks for your reply.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2842
days inactive
2843
days old
1 comments
2 participants
participants (2)
-
Marek Posolda -
Thibaut.Castaing@isocel.info