[keycloak-dev] How retrievie access token only with roles for specific target service(keycloak client)?

Stian Thorgersen sthorger at redhat.com
Mon Feb 5 04:54:05 EST 2018


Did you look at the token exchance service?

On 5 February 2018 at 10:14, Daniel Charczyński <danielcharczynski at o2.pl>
wrote:

>  Hi everyone
>
> I think that there is an important need to implemment feature that makes
> possible getting access token according to target service
>
> background:
> we are using bearer access tokens in case of authorization between services
> this is JWT  signed by keycloak and contains all roles assigned to this
> specific client
> we are using "service account" in case of authorization service to service
>
>
> eg:
> if we have following screnario
>
> service A   --->  service B
>     |
>     |-------------  > service C
>
> service A receives JWT with roles to service B and C
>
> If Service A comunicates with B, B is able to reuse this token and
> communicate with C as service A
> Token that B receives from A is valid and there is possibility to reuse it
> That is CRITICAL security issue in my oppinion.
>
> Out plan is to use Roles that requires scope parameter and it is OK for us
> but at the moment there is only possibility to query for specific Role but
> there is NO possibility to ask keycloak for JWT with all roles but only in
> service B context.
>
> Of course we can use composite roles but this is workaround that requeires
> extra maintanence - we do not want to do that in that way
>
> We just need support scope parameter like
>
> *scope = serviceB/**
>
> We created
>
>
>
> * https://github.com/keycloak/keycloak/pull/4910
> <https://github.com/keycloak/keycloak/pull/4910>   -
> rejectedandhttps://issues.jboss.org/browse/KEYCLOAK-6092
> <https://issues.jboss.org/browse/KEYCLOAK-6092> - closed as duplicate *
> Maybe our PR  is to much flexibe - we build our solution using regex
> There is possibillity to use wildcard, anything
>
> Regards
> Daniel Charczyński
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev


More information about the keycloak-dev mailing list