[keycloak-dev] External (SAML) Token to Internal Token Exchange
Edwin Steiner
esteiner at inventage.com
Fri Aug 30 10:35:00 EDT 2019
Hi all
First, thanks to all Keycloak committers and contributors. We like Keycloak very much and have used it in many projects.
The documentation says that the "Token Exchange" [1] feature is in Technology Preview only and the "External Token to Internal Token Exchange" [2] feature for SAML identity providers is not supported but may be added.
In a customer project we have exactly the requirement for exchange a SAML v2 Assertion with a JWT. Because of that we are investigating in implementing this feature either as a project specific solution or as a contribution.
As there is no SPI for this requirement, I guess a fork is necessary for changing the method org.keycloak.protocol.oidc.endpoints.TokenEndpoint#tokenExchange, so that not only subject tokens of type "urn:ietf:params:oauth:token-type:jwt" are accepted.
Any hints or tips on this topic are very welcomed.
Best regards
Edwin
[1] file:///Users/esteiner/Documents/Github/Keycloak/keycloak-documentation/target/securing_apps/index.html#_token-exchange
[2] file:///Users/esteiner/Documents/Github/Keycloak/keycloak-documentation/target/securing_apps/index.html#external-token-to-internal-token-exchange
--
Edwin Steiner
Inventage AG | CH-8005 Zürich | www.inventage.com
More information about the keycloak-dev
mailing list