[keycloak-dev] Audience support
Marek Posolda
mposolda at redhat.com
Mon Sep 10 03:37:05 EDT 2018
Cool, should have audience PR ready in next few days then. Will create
"future" version JIRA for the "Resource" specs.
Marek
On 10/09/18 09:21, Stian Thorgersen wrote:
> As aud field is widely used today that is what we need now. I haven't
> seen anyone ask for [2] so I think we can safely ignore that spec for
> now.
>
> I would finish what you have with aud support for now, then we can
> address [2] in the future if needed.
>
> On Thu, 6 Sep 2018 at 23:37, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> Hi,
>
> I have some concerns about the audience support. The prototype
> done few
> months ago, which I have in my branch [1] is based on client
> scopes. I
> showed it on the weekly demo some time ago and changed few things
> based
> on the feedback. Just to clarify, the PR:
> - Adds the AudienceProtocolMapper, which is able to attach single
> client_id of the specified client (typically will be bearer-only
> client)
>
> - Adds the easy way to generate "audience client scope" for specified
> "service" client (usually bearer-only client). This clientScope
> contains:
> -- the audienceProtocolMapper of bearer-only described above
> -- the scope role mappings of all the client roles of that
> bearer-only
> client.
> The "frontend" clients can then use this clientScope, so that
> audience +
> roleMappings will be both available in the accessToken issued for the
> frontend-client.
>
> Now there is this specs [2], which Pedro pointed. Short summary about
> this specs:
>
> - It is still in draft state for few years and there are some TODO in
> it. So hard to say how much to rely on it...
>
> - It specifically talks about "scope" parameter and mentions, that
> it is
> often used by various parties for "what the token can be used for"
> (permissions/claims associated with the token) and "where to use that
> token" . But it mentions that "where" use-case should be ideally
> handled
> by something else.
>
> - It introduces "resource" parameter, which MUST be an absolute
> URI per
> this specification and it should point to the service/resource
> where the
> access token will be used. When authorization server is creating
> token,
> it may apply audiences, encrypt token by various algorithms based
> on the
> requested "resource" etc. For the audience, they specify that:
>
> "The authorization server may use the exact 'resource' value as the
> audience or it may map from that value to a more general URI or
> abstract
> identifier for the resource server."
>
> - The "resource" parameter is used in the token request if
> possible. For
> the grants where it's not possible (implicit, resource owner password
> login, client credentials) it is used in the initial authentication
> request. So for the classic "authorization_code" grant it can be
> used in
> code-to-token or refresh-token requests. This is great and allows
> some
> cool flexibility (unlike "scope" where the whole SSO login
> including all
> the redirects is needed). But it requires some support on adapters.
>
>
> Now I am thinking about 2 possible ways to continue:
>
> 1) Finish my current work around audience and for now, let it be
> driven
> through the "scope" parameter. Then later add the support for the
> "resource" parameter and the specs above.
> 2) Skip what I currently have and start something different based
> on the
> "resource" parameter specs.
>
> ATM I am more keen to option 1, so that we can have some audience
> support in master ASAP. Also because the specs is still draft and I
> don't know how much we can rely on the "resource" parameter being
> adopted by 3rd party applications (for example Openshift). When we
> later
> have the option to drive audiences through both "scope" and
> "resource"
> params, it will be good thing IMO.
>
> The "resource" related support will require changes on the adapter
> side
> as it is new parameter to be supported in code-to-token request and
> refresh-token request. On our adapter's side, it will be good to have
> some changes to allow "cache" of more access tokens for various
> resources/audiences, not just one. On server-side, I was thinking
> about
> various possibilities, and it still looks good to represent
> "resource"
> support through client scopes. So optional clientScopes can be
> requested
> either through "scope" parameter (default case) or through "resource"
> parameter (probably disabled by default) or through both.
>
> Thoughts?
>
>
> [1] https://github.com/mposolda/keycloak/tree/audience
> [2]
> https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-00
>
> Marek
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list