[keycloak-user] cascaded microservice security

Scott Rossillo srossillo at smartling.com
Wed Dec 16 15:19:49 EST 2015


It seems you’re trying to enforce that only client B can call client C. This isn’t really something considered by OpenID Connect Spec. Are you using the access token from client A to call client C (from B)? If so, the client adapter can’t help you here. If your intent is just to protect service C from being called directly, just secure it behind a firewall so that only client B may access it.

It’s also not very clear what you’re try to accomplish by “protecting” access to client C.

Scott Rossillo
Smartling | Senior Software Engineer
srossillo at smartling.com

 <http://www.sigstr.com/>
> On Dec 16, 2015, at 10:30 AM, Dirk Franssen <dirk.franssen at gmail.com> wrote:
> 
> Hi,
> 
> as I didn't receive any feedback on this question yet, I will resend it (perhaps due to pending subscription)
> 
> On Tue, Dec 8, 2015 at 12:09 PM, Dirk Franssen <dirk.franssen at gmail.com <mailto:dirk.franssen at gmail.com>> wrote:
> Hi,
> 
> how would one configure Keycloak to obtain following scenario's?
> 
> Scenario 1:
> 
> client A: public (angular app)
> client B: bearer-only (microservice)
> client C: bearer-only (microservice)
> 
> - microservice B is allowed to call microservice C, but an authenticated user in the js app A should be forbidden to call microservice C directly.
> 
> Scenario 2:
> 
> client A: public (angular app)
> client B: confidential (1 war with a REST service AND a JSF application, both using the same EJB business layer which is accessing microservice C)
> client C: bearer-only (microservice)
> 
> - a user authenticated in the angular app can use the REST service of app B and will see the results of microservice C, but the user may not call microservice C directly
> - a user authenticated in the JSF application will see the results of microservice C when using the JSF application, but should not be able to use microservice C directly (if the user would reuse the same access_token)
> - should there be different roles for the REST part and the JSF part of app B (for accessing microservice C)?
> 
> Kind regards,
> Dirk
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20151216/d66adac3/attachment.html 


More information about the keycloak-user mailing list