[keycloak-dev] Pairwise clients and authorization services

Martin Hardselius martin.hardselius at gmail.com
Mon Feb 19 12:32:02 EST 2018


Yes, the default implementation is using SHA-256. That makes things a bit
more complicated. In retrospect, it might have been wiser to go with
AES-128 or some other kind of encryption.

No specific reason. It was one of the suggestions in from the spec and I
suppose we failed to think of scenarios where we would wan't to resolve the
local sub.

Martin

On Mon, 19 Feb 2018 at 17:19 Pedro Igor Silva <psilva at redhat.com> wrote:

> We did not consider subject type pairwise in authorization services, we
> need to review this ...
>
> If we can resolve local sub from the a pairwise subject type, I think this
> is the best way to go. But pairwise is using SHA26, right ?
>
> I also noticed you are the main contributor of subject pairwise, any
> specific reason why we are not using encryption ?
>
> Regards.
> Pedro Igor
>
> On Mon, Feb 19, 2018 at 11:40 AM, Martin Hardselius <
> martin.hardselius at gmail.com> wrote:
>
>> Hi,
>>
>> It seems like authorization services break when using them with a pairwise
>> enabled client. I've not investigated the full extent of this but long
>> story short, the sub from the token is used in token validation and in
>> org.keyclak.authorization.common.KeycloakIdentity for some comparisons.
>>
>> Steps to reproduce:
>> 1. Create pairwise a client with authorization enabled
>> 3. Get access token (client_credentials)
>> 3, Try post a new resource_set
>>
>> I'm not sure what the best way to fix this is.
>> 1. Re-write token validation and KeycloakIdentity to not rely on the sub
>> in
>> the token,
>> 2. Re-write the pairwise protocol mapper to ignore service accounts (feels
>> like putting make-up on a pig), or
>> 3. "terminate" pairwise subs, replacing them with the internal sub, before
>> further processing.
>>
>> Thoughts?
>>
>> Regards,
>> Martin
>>
> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>


More information about the keycloak-dev mailing list