11:10 a.m.
Hi,
I have a scenario where I want allow a client (let's call it C1) to access
a service S1 which in turn needs to call a method in "internal" service S2.
So it looks kind of like this:
C1 -> S1 -> S2
The way I understand it, I would create a client scope for C1 which adds S1
and S2 as an audience to the access token.
However, I don't want C1 to be able to call the S2 services directly. So,
the access token for C1 should actually be restricted only to audience S1.
Is there any way to accomplish that? The token exchange would probably be
one solution, but as it is a technology preview I'm hesistant to use it in
production.
Thanks,
Matthias
12:52 p.m.
Depends if you want S1 -> S2 to include the user details. If you do then
your options are:
* Use token exchange
* Allow C1 to invoke S2
* Firewall S2 so C1 can't access it
If you don't then S1 can use a service account to be allowed to invoke S2
without passing on the token from C1.
On Mon, 11 Mar 2019 at 11:19, Matthias O <weissbiermuggerl(a)gmail.com> wrote:
Hi,
I have a scenario where I want allow a client (let's call it C1) to access
a service S1 which in turn needs to call a method in "internal" service S2.
So it looks kind of like this:
C1 -> S1 -> S2
The way I understand it, I would create a client scope for C1 which adds S1
and S2 as an audience to the access token.
However, I don't want C1 to be able to call the S2 services directly. So,
the access token for C1 should actually be restricted only to audience S1.
Is there any way to accomplish that? The token exchange would probably be
one solution, but as it is a technology preview I'm hesistant to use it in
production.
Thanks,
Matthias
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:55 p.m.
Thanks, Stian. That's what I thought. We need the user details and
firewalling is not an option.
Do you have any concerns using the token exchange in a production system?
Am Mo., 11. März 2019 um 12:52 Uhr schrieb Stian Thorgersen <
sthorger(a)redhat.com>:
Depends if you want S1 -> S2 to include the user details. If you
do then
your options are:
* Use token exchange
* Allow C1 to invoke S2
* Firewall S2 so C1 can't access it
If you don't then S1 can use a service account to be allowed to invoke S2
without passing on the token from C1.
On Mon, 11 Mar 2019 at 11:19, Matthias O <weissbiermuggerl(a)gmail.com>
wrote:
> Hi,
>
> I have a scenario where I want allow a client (let's call it C1) to access
> a service S1 which in turn needs to call a method in "internal" service
> S2.
> So it looks kind of like this:
>
> C1 -> S1 -> S2
>
> The way I understand it, I would create a client scope for C1 which adds
> S1
> and S2 as an audience to the access token.
>
> However, I don't want C1 to be able to call the S2 services directly. So,
> the access token for C1 should actually be restricted only to audience S1.
>
> Is there any way to accomplish that? The token exchange would probably be
> one solution, but as it is a technology preview I'm hesistant to use it in
> production.
>
> Thanks,
> Matthias
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
2146
days inactive
2146
days old
2 comments
2 participants
participants (2)
-
Matthias O -
Stian Thorgersen