[keycloak-user] Authenticating to a client with another client's service account

[Paolo Tedesco]

I've found out that the problem was in the audience validation of my API.
The access token I get from keycloak when I authenticate my confidential client has always

aud = confidential_client_id

How am I supposed to get a token with a difference audience value?
I tried specifying in the POST request to the token endpoint

resource = client_id_of_the_api

which works with ADFS 2016, but seems to be ignored by Keycloak.

Thanks,
Paolo

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Paolo Tedesco
Sent: Friday, 23 March, 2018 11:11
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Authenticating to a client with another client's service account

Hi all,

I have registered two clients in my Keycloak, one is an API (ID = client_api) and another is a confidential client (ID = confidential_client), which is a standalone application that should access the API with its own credentials.
I've set the access type of both API and application to "confidential".

>From the application, I obtain a token with a POST to https://keycloak-server/auth/realms/master/protocol/openid-connect/token with these parameters:

client_id = confidential_client
client_secret = <confidential client secret> grant_type = client_credentials

>From this, I obtain a token, that looks like this:
{
  "access_token": "eyJhbG...Z0qmQ"
  // other stuff
}

Then, I try to call my API with an authentication header with

Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step)

However, this does not seem to work, and the API acts like the user is not authenticated.
Any idea of what I'm doing wrong?

Thanks,
Paolo

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user