1:14 p.m.
Hi
I've been experimenting with internal to internal token exchange [1] and
managed to exchange token without configured policy
My original token belongs to public client (token_owner_klient_id) and I'm
trying to exchange it with audience set
to a confidential client that allows only client credentials grant
(confidential_client).
If I execute request as provided in documentation access is denied, but if
I'll provide confidential_client+confidential_client_secret
exchange operation succeeds.
The only difference in tokens issued with and without policy is that with
policy azp claim is set correctly to token_owner_klient_id.
The question is -- is it correct behaviour from the perspective of token
exchange?
curl -v -X POST --user confidential_client:confidential_client_secret \
-d "client_id=token_owner_klient_id" \
--data-urlencode
"grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "subject_token=${TOKEN}" \
--data-urlencode
"requested_token_type=urn:ietf:params:oauth:token-type:refresh_token" \
-d "audience=confidential_client" \
http://keycloak/auth/realms/configured-realm/protocol/openid-connect/token
[1]
http://www.keycloak.org/docs/latest/securing_apps/index.html#internal-tok...
6:08 a.m.
Hello again, wanted to come up with the same question again, for me, this
behaviour looks like a bug, but I'm not sure
On Wed, Feb 14, 2018 at 10:14 PM Виталий Ищенко <betalb(a)gmail.com> wrote:
Hi
I've been experimenting with internal to internal token exchange [1] and
managed to exchange token without configured policy
My original token belongs to public client (token_owner_klient_id) and I'm
trying to exchange it with audience set
to a confidential client that allows only client credentials grant
(confidential_client).
If I execute request as provided in documentation access is denied, but if
I'll provide confidential_client+confidential_client_secret
exchange operation succeeds.
The only difference in tokens issued with and without policy is that with
policy azp claim is set correctly to token_owner_klient_id.
The question is -- is it correct behaviour from the perspective of token
exchange?
curl -v -X POST --user confidential_client:confidential_client_secret \
-d "client_id=token_owner_klient_id" \
--data-urlencode
"grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "subject_token=${TOKEN}" \
--data-urlencode
"requested_token_type=urn:ietf:params:oauth:token-type:refresh_token" \
-d "audience=confidential_client" \
http://keycloak/auth/realms/configured-realm/protocol/openid-connect/token
[1]
http://www.keycloak.org/docs/latest/securing_apps/index.html#internal-tok...
6:53 a.m.
Looks like I found a possible answer in the documentation. If I got this
correctly, naked exchanges are allowed for confidential client, but one
question is still open: why azp claim is different?
On Fri, Mar 23, 2018 at 2:08 PM Виталий Ищенко <betalb(a)gmail.com> wrote:
Hello again, wanted to come up with the same question again, for me,
this
behaviour looks like a bug, but I'm not sure
On Wed, Feb 14, 2018 at 10:14 PM Виталий Ищенко <betalb(a)gmail.com> wrote:
> Hi
>
> I've been experimenting with internal to internal token exchange [1] and
> managed to exchange token without configured policy
>
> My original token belongs to public client (token_owner_klient_id) and
> I'm trying to exchange it with audience set
> to a confidential client that allows only client credentials grant
> (confidential_client).
>
> If I execute request as provided in documentation access is denied, but
> if I'll provide confidential_client+confidential_client_secret
> exchange operation succeeds.
>
> The only difference in tokens issued with and without policy is that with
> policy azp claim is set correctly to token_owner_klient_id.
>
> The question is -- is it correct behaviour from the perspective of token
> exchange?
>
> curl -v -X POST --user confidential_client:confidential_client_secret \
> -d "client_id=token_owner_klient_id" \
> --data-urlencode
> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
> -d "subject_token=${TOKEN}" \
> --data-urlencode
> "requested_token_type=urn:ietf:params:oauth:token-type:refresh_token" \
> -d "audience=confidential_client" \
>
> http://keycloak/auth/realms/configured-realm/protocol/openid-connect/token
>
> [1]
>
http://www.keycloak.org/docs/latest/securing_apps/index.html#internal-tok...
>
2470
days inactive
2507
days old
2 comments
1 participants
participants (1)
-
Виталий Ищенко