[keycloak-user] Information about keyckoak client_assertion_type

Marek Posolda mposolda at redhat.com
Wed Mar 22 03:49:26 EDT 2017 

On 21/03/17 19:48, Thibaut.Castaing at isocel.info wrote:
> Hi all,
>
> i'm currently working on Keycloack and its integration in our architecture
> witch is composed of several modules.
>
> According to the documentation i plan to
> - create a realm (witch is related to my organisation)
> - create "clients" for every applications i would like to secure with
> keycloak.
>
> I don't want to manage roles at realm level (for organisational and
> security reasons). I want to manage roles by client (using eventually a
> client template if several modules share the same configuration).
>
> In this mode, i would like to be abble, from a given resource in the
> context of an authenticated client (authenticate from the brower
> authentification), to retrieve roles for a given remote "client' in order
> to male a remote call to its api using the right roles.
> i would like to know if it's possible from a given backend client to ask
> to Keycloak an "access_token" for an other client using the current
> authenticated user (and so its related jwt token).
Access token for "client-a" can eventually contain also client roles of 
"client-b" . You just need to ensure that "client-a" has either 
FullScopeAllowed or it has scopes to roles of "client-b". Scopes can be 
defined also per client templates.

Maybe this is easier way to accomplish what you need instead of 
exchanging tokens?
>
> i plan to use a client authentificator client_assertion_type with the
> current user token. Is it the right solution ?
The JWT client authenticator, which we provide OOTB, is able to 
authenticate client against Keycloak server with the short-lived JWT 
token created by the client adapter itself. There is no support for 
authenticate (exchange) based on other access token of authenticated user.

If you really need exchanging tokens, you can maybe implement your own 
REST endpoint for it. We have some example for it in the 
keycloak-examples distribution in directory "providers". You can take a 
look at tokenIntrospection endpoint for inspiration how to verify 
existing token etc. Also you can maybe take a look at our authorization 
stuff, it can maybe also have something, which can help you (I am not 
deeply familiar with it, so not sure).

Marek
>
> Thks for your reply.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list