[keycloak-dev] How retrievie access token only with roles for specific target service(keycloak client)?

[Daniel Charczyński]

 Hi everyone

I think that there is an important need to implemment feature that makes
possible getting access token according to target service

background:
we are using bearer access tokens in case of authorization between services
this is JWT  signed by keycloak and contains all roles assigned to this
specific client
we are using "service account" in case of authorization service to service


eg:
if we have following screnario

service A   --->  service B
    |
    |-------------  > service C

service A receives JWT with roles to service B and C

If Service A comunicates with B, B is able to reuse this token and
communicate with C as service A
Token that B receives from A is valid and there is possibility to reuse it
That is CRITICAL security issue in my oppinion.

Out plan is to use Roles that requires scope parameter and it is OK for us
but at the moment there is only possibility to query for specific Role but
there is NO possibility to ask keycloak for JWT with all roles but only in
service B context.

Of course we can use composite roles but this is workaround that requeires
extra maintanence - we do not want to do that in that way

We just need support scope parameter like

*scope = serviceB/**

We created



* https://github.com/keycloak/keycloak/pull/4910
<https://github.com/keycloak/keycloak/pull/4910>   -
rejectedandhttps://issues.jboss.org/browse/KEYCLOAK-6092
<https://issues.jboss.org/browse/KEYCLOAK-6092> - closed as duplicate *
Maybe our PR  is to much flexibe - we build our solution using regex
There is possibillity to use wildcard, anything

Regards
Daniel Charczyński