[keycloak-dev] direct exchanges
Bill Burke
bburke at redhat.com
Wed Sep 13 10:52:05 EDT 2017
We have direct grants where client passes username and creds to obtain
a token for that user. We have client credentials grant to get a
token for the client itself.
What if we had a direct exchange where the client provides user id or
username and gets a token for that user? The client does not have to
provide user credentials.
What is the use case for this? Consider an application that is
authenticated via an external mechanism. Consider that this external
mechanism does not provide any type of token, it just authenticates a
username. This application needs to talk to services secured by
Keycloak. So, with this new direct exchange mechanism, the
application only needs to have a client account on the Keycloak server
to obtain a token for a keycloak user. Another benefit of this is
that Keycloak does not need to understand external token formats in
order to provide a token to a client that authenticates users by an
external mechanism.
There's some big security risks for this. If the client's secret is
stolen the attacker would be able to mint token for any user. This
is somewhat mitigated in two ways:
a) If the token is minted for the client, the scope of the token can
be limited, i.e. role mappings limited
b) if the client is asking for a different audience (a different
client) the client can be limited on the audience it can ask for. (we
already do this check for client to client token exchange).
--
Bill Burke
Red Hat
More information about the keycloak-dev
mailing list