[keycloak-dev] How retrievie access token only with roles for specific target service(keycloak client)?
Daniel Charczyński
danielcharczynski at o2.pl
Mon Feb 5 06:27:00 EST 2018
Yes
we do not want to exchange service A token to service B token, or any other
client
we want to get service A token but with restricted set of roles to roles
assigned just from service B (without service C roles)
something like
"give me my token for communication with service B"
or
"give me my token for communication with service C"
2018-02-05 10:54 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:
> Did you look at the token exchance service?
>
> On 5 February 2018 at 10:14, Daniel Charczyński <danielcharczynski at o2.pl>
> wrote:
>
>> Hi everyone
>>
>> I think that there is an important need to implemment feature that makes
>> possible getting access token according to target service
>>
>> background:
>> we are using bearer access tokens in case of authorization between
>> services
>> this is JWT signed by keycloak and contains all roles assigned to this
>> specific client
>> we are using "service account" in case of authorization service to service
>>
>>
>> eg:
>> if we have following screnario
>>
>> service A ---> service B
>> |
>> |------------- > service C
>>
>> service A receives JWT with roles to service B and C
>>
>> If Service A comunicates with B, B is able to reuse this token and
>> communicate with C as service A
>> Token that B receives from A is valid and there is possibility to reuse it
>> That is CRITICAL security issue in my oppinion.
>>
>> Out plan is to use Roles that requires scope parameter and it is OK for us
>> but at the moment there is only possibility to query for specific Role but
>> there is NO possibility to ask keycloak for JWT with all roles but only in
>> service B context.
>>
>> Of course we can use composite roles but this is workaround that requeires
>> extra maintanence - we do not want to do that in that way
>>
>> We just need support scope parameter like
>>
>> *scope = serviceB/**
>>
>> We created
>>
>>
>>
>> * https://github.com/keycloak/keycloak/pull/4910
>> <https://github.com/keycloak/keycloak/pull/4910> -
>> rejectedandhttps://issues.jboss.org/browse/KEYCLOAK-6092
>> <https://issues.jboss.org/browse/KEYCLOAK-6092> - closed as duplicate *
>> Maybe our PR is to much flexibe - we build our solution using regex
>> There is possibillity to use wildcard, anything
>>
>> Regards
>> Daniel Charczyński
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
More information about the keycloak-dev
mailing list