[keycloak-dev] token exchange

Pedro Igor Silva psilva at redhat.com
Mon Jul 31 11:35:07 EDT 2017 

On Fri, Jul 28, 2017 at 5:24 PM, Bill Burke <bburke at redhat.com> wrote:

> I've implemented a simple token exchange API [1] that allows you to
> exchange an access token created for one client to another client.  The
> REST API follows the oauth token exchange api [2] very loosely.
>
> subject_token: a keycloak access token
>
> audience: takes a client id
>
> It then converts the access token created for one client and converts it
> to another.  It lives under the token endpoint.
>
> The security model is as follows:
>
> * Authenticate calling client the same way as password grant.
>
> * The calling client must have service account enabled
>
> * Service account must have a realm role "token-exchanger" grant edto it
> or, it must have a client role "token-exchanger" granted to it.  This
> exchanger client role is a role defined by the target client you are
> exchanging the token to.
>
>
> Is this a good security model?  I'm thinking of not creating these roles
> right now and to enable support for exchange would require defining the
> roles specified above.
>

I think roles are too coarse-grained to represent this kind of policy. A
better option would be to explicitly define the clients that are allowed to
exchange tokens for a particular resource server. Eg.:

RS A allows Client B, C and D to exchange their tokens where the target
audience is RS A (or if using "resource", a specific resource in RS A).


>
>
> Future work would be to have an additional subject_issuer and
> requested_issuer parameters.  "subject_issuer" would match to a broker
> alias, so you could exchange a facebook token for a keycloak realm
> token.  Same thing goes for "requested_issuer". This would allow you to
> exchange a Keycloak token for a facebook token or some other registered
> broker.
>

I'm following your discussion in OAuth2 WG. Do we really need these
additional paramerters ?

My understanding from the specs is that:

* Facebook -> Keycloak Realm
  If you pass a "subject_token_type" like
"urn:keycloak:params:oauth:token-type:broker-{ALIAS}", where {ALIAS} is the
alias of the broker configured to your realm. Assuming {ALIAS} maps to a
Facebook broker in your realm, you probably know how to exchange the FB
opaque access token to a Keycloak realm token.

* Keycloak -> Facebook
  If you pass a "requested_token_type" like
"urn:keycloak:params:oauth:token-type:broker-{ALIAS}", where {ALIAS} is the
alias of the broker configured to your realm. Assuming {ALIAS} maps to a
Facebook broker in your realm, you probably know how to exchange the
Keycloak token to a FB token.

Or are you thinking about something else ?


>
>
> [1] https://github.com/keycloak/keycloak/pull/4362
>
> [2] http://www.ietf.org/id/draft-ietf-oauth-token-exchange-09.txt
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list