[keycloak-dev] How retrievie access token only with roles for specific target service(keycloak client)?

Daniel Charczyński danielcharczynski at o2.pl
Mon Feb 5 06:27:00 EST 2018


Yes

we do not want to exchange service A token to service B token, or any other
client

we want to get service A token but with restricted set of roles to roles
assigned just from service B (without service C roles)



something like

"give me my token for communication with service B"

or

"give me my token for communication with service C"

2018-02-05 10:54 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:

> Did you look at the token exchance service?
>
> On 5 February 2018 at 10:14, Daniel Charczyński <danielcharczynski at o2.pl>
> wrote:
>
>>  Hi everyone
>>
>> I think that there is an important need to implemment feature that makes
>> possible getting access token according to target service
>>
>> background:
>> we are using bearer access tokens in case of authorization between
>> services
>> this is JWT  signed by keycloak and contains all roles assigned to this
>> specific client
>> we are using "service account" in case of authorization service to service
>>
>>
>> eg:
>> if we have following screnario
>>
>> service A   --->  service B
>>     |
>>     |-------------  > service C
>>
>> service A receives JWT with roles to service B and C
>>
>> If Service A comunicates with B, B is able to reuse this token and
>> communicate with C as service A
>> Token that B receives from A is valid and there is possibility to reuse it
>> That is CRITICAL security issue in my oppinion.
>>
>> Out plan is to use Roles that requires scope parameter and it is OK for us
>> but at the moment there is only possibility to query for specific Role but
>> there is NO possibility to ask keycloak for JWT with all roles but only in
>> service B context.
>>
>> Of course we can use composite roles but this is workaround that requeires
>> extra maintanence - we do not want to do that in that way
>>
>> We just need support scope parameter like
>>
>> *scope = serviceB/**
>>
>> We created
>>
>>
>>
>> * https://github.com/keycloak/keycloak/pull/4910
>> <https://github.com/keycloak/keycloak/pull/4910>   -
>> rejectedandhttps://issues.jboss.org/browse/KEYCLOAK-6092
>> <https://issues.jboss.org/browse/KEYCLOAK-6092> - closed as duplicate *
>> Maybe our PR  is to much flexibe - we build our solution using regex
>> There is possibillity to use wildcard, anything
>>
>> Regards
>> Daniel Charczyński
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>


More information about the keycloak-dev mailing list