[keycloak-dev] Using provided AccessToken in Keycloak client

Marek Posolda mposolda at redhat.com
Tue Aug 9 08:24:59 EDT 2016 

There is this specs, but not sure if it's useful exactly for the case 
like this : https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-05

+1 from me for JIRA and PR for your little extension for now.

Marek

On 08/08/16 14:52, Thomas Darimont wrote:
>
> Thanks Marek,
>
> Service2 is more or less a service proxy which performs additional 
> authz checks. So service1 can only access the oidc parts of keycloak 
> but service2 has broader access...
> Benefit is that the action in Keycloak is performed with the Identity 
> information of the initiating service1 user which is then logged 
> accordingly in Keycloak.
>
> Is this token exchange backed by a spec?
>
> May I create a JIRA and a PR for my little extension?
>
> Cheers,
> Thomas
>
>
> Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> 
> schrieb am Mo., 8. Aug. 2016, 14:42:
>
>     +1 to have support for scenario like this.
>
>     One small disadvantage of your approach is, that service2 will use
>     accessToken, which was issued to service1. It seems that more
>     proper way might be to have service on Keycloak side, that will
>     allow service2 to exchange the service1 token for it's own token.
>     However that will likely require much more work though...
>
>     Marek
>
>
>     On 08/08/16 09:58, Thomas Darimont wrote:
>>     Hello group,
>>
>>     I have the following scenario:
>>     1) A SSO authenticated User1 calls Service1 (confidential client).
>>     2) Service1 extracts access token.
>>     3) Service1 performs a remote call to Service2 passing the access
>>     token along.
>>     4) Service2 needs to do something in the name of User1 in
>>     Keycloak (e.g. set a user attribute, or create a new users)
>>     5) Service2 uses org.keycloak.admin.client.Keycloak to
>>     communicate with Keycloak
>>     to perform the requested operation.
>>
>>     I want to be able to propagate the access token in
>>     Service to service calls and use the
>>     'org.keycloak.admin.client.Keycloak' client
>>     with the provided access token to perform an operation in Keycloak.
>>
>>     Currently 'org.keycloak.admin.client.Keycloak' only supports
>>     client credentials and / or password,
>>     which it uses to get an refresh token to renew a potentially
>>     timed out access token.
>>
>>     As a PoC I slightly adjusted the Keycloak client to allow for
>>     externally provided access tokens:
>>     https://gist.github.com/thomasdarimont/d82c4478df997556a9d16afb79787459
>>
>>     I think the Keycloak Client should also support "call once"
>>     scenarios with a provided access token out of the box.
>>
>>     Shall I create a JIRA for this?
>>
>>     Cheers,
>>     Thomas
>>
>>
>>     _______________________________________________
>>     keycloak-dev mailing list
>>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160809/fac779f2/attachment-0001.html

More information about the keycloak-dev mailing list