[keycloak-dev] Application Initiated Actions Draft #2
Marek Posolda
mposolda at redhat.com
Tue Apr 2 09:39:30 EDT 2019
On 02/04/2019 15:24, Pedro Igor Silva wrote:
>
>
> On Tue, Apr 2, 2019 at 10:12 AM Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
> > There's a difference in leaking a refresh token and access token
> to leaking
> > a ID token IMO. From thinking about it I can't see how you would
> use a
> > leaked ID token as apps don't accept them in the same way as
> services
> > accept access tokens.
>
> Hopefully yes, but even if ID Token is leaked, it is not ideal. In
> the
> past, we had issues with the fact that IDToken could be used as
> accessToken. This shouldn't be an issue in our adapters, where we
> test
> the "typ" and audience in the tokens. But some 3rd party service
> can be
> buggy and still accept ID Token as access token due some missing
> checks.
> Hopefully this is not big issue in reality...
>
>
> +1. But audience check is still false by default, right?
Yes. But the "typ" is checked in our adapters, so you won't be able to
use ID token as access token. I think the issue could be just for 3rd
party adapters, which may not check all the necessary things.
Marek
More information about the keycloak-dev
mailing list