[keycloak-user] Fwd: how retrievie access token only with roles for specific target service(keycloak client)?
Daniel Charczyński
danielcharczynski at o2.pl
Thu Jan 18 09:36:06 EST 2018
Hi
I'd like to talk with you about
https://github.com/keycloak/keycloak/pull/4910
and
https://issues.jboss.org/browse/KEYCLOAK-6092
we have CRITICAL security issue that target service is able to receive
access token with roles to other services so it is able to reuse it.
We need to implement feature thet makes it possible to get access token
with roles per target service(client in keycloak)
Out idea is to use client roles that requires scope.
But in order to get all roles assigned from specific target service we need
to chance current behaviour.
At the moment there is possibility to get specific role using scope
parameter
<clinetId>/<role-name>
but we need
<clientId>/.*
Have you got any idea to make it possible ASAP?
We do not want to make any break changes...
maybe we use wildcard instead od regexp like <clientId>/* ?
Just let me know how to do it in order to be compatible with your future
plans and make it possible to merge...
Regards
Daniel
More information about the keycloak-user
mailing list