[keycloak-user] Authenticating to a client with another client's service account

Pedro Igor Silva psilva at redhat.com
Mon Mar 26 08:01:28 EDT 2018


This is something we are not doing correctly where access tokens are always
created with the client as the audience and not the resource server /
target service.

Marek can give more insights about this but I think this should be fixed by
the work he is doing around Client Scopes.

Another alternative is use token exchange [1].

[1]
http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange

Regards.
Pedro Igor

On Fri, Mar 23, 2018 at 12:53 PM, Paolo Tedesco <Paolo.Tedesco at cern.ch>
wrote:

> I've found out that the problem was in the audience validation of my API.
> The access token I get from keycloak when I authenticate my confidential
> client has always
>
> aud = confidential_client_id
>
> How am I supposed to get a token with a difference audience value?
> I tried specifying in the POST request to the token endpoint
>
> resource = client_id_of_the_api
>
> which works with ADFS 2016, but seems to be ignored by Keycloak.
>
> Thanks,
> Paolo
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.
> jboss.org> On Behalf Of Paolo Tedesco
> Sent: Friday, 23 March, 2018 11:11
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Authenticating to a client with another client's
> service account
>
> Hi all,
>
> I have registered two clients in my Keycloak, one is an API (ID =
> client_api) and another is a confidential client (ID =
> confidential_client), which is a standalone application that should access
> the API with its own credentials.
> I've set the access type of both API and application to "confidential".
>
> >From the application, I obtain a token with a POST to
> https://keycloak-server/auth/realms/master/protocol/openid-connect/token
> with these parameters:
>
> client_id = confidential_client
> client_secret = <confidential client secret> grant_type =
> client_credentials
>
> >From this, I obtain a token, that looks like this:
> {
>   "access_token": "eyJhbG...Z0qmQ"
>   // other stuff
> }
>
> Then, I try to call my API with an authentication header with
>
> Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step)
>
> However, this does not seem to work, and the API acts like the user is not
> authenticated.
> Any idea of what I'm doing wrong?
>
> Thanks,
> Paolo
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list