[keycloak-user] Authenticating to a client with another client's service account

Marek Posolda mposolda at redhat.com
Mon Mar 26 14:34:58 EDT 2018 

Yes, as Pedro mentioned, I hope that better audience support will be 
available in Keycloak master in next few weeks (or months), so in some 
next beta, it should be available. JIRA is 
https://issues.jboss.org/browse/KEYCLOAK-6638 .

Question: This parameter "resource=client_id_of_the_api" seems to be 
ADFS specific parameter? Or is it mentioned in some specification? We 
plan to support better audience support through "scope" parameter or 
have it available by default (depends on where admin defines 
protocolMapper for audience).

Thanks,
Marek

On 26/03/18 14:01, Pedro Igor Silva wrote:
> This is something we are not doing correctly where access tokens are always
> created with the client as the audience and not the resource server /
> target service.
>
> Marek can give more insights about this but I think this should be fixed by
> the work he is doing around Client Scopes.
>
> Another alternative is use token exchange [1].
>
> [1]
> http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange
>
> Regards.
> Pedro Igor
>
> On Fri, Mar 23, 2018 at 12:53 PM, Paolo Tedesco <Paolo.Tedesco at cern.ch>
> wrote:
>
>> I've found out that the problem was in the audience validation of my API.
>> The access token I get from keycloak when I authenticate my confidential
>> client has always
>>
>> aud = confidential_client_id
>>
>> How am I supposed to get a token with a difference audience value?
>> I tried specifying in the POST request to the token endpoint
>>
>> resource = client_id_of_the_api
>>
>> which works with ADFS 2016, but seems to be ignored by Keycloak.
>>
>> Thanks,
>> Paolo
>>
>> -----Original Message-----
>> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.
>> jboss.org> On Behalf Of Paolo Tedesco
>> Sent: Friday, 23 March, 2018 11:11
>> To: keycloak-user at lists.jboss.org
>> Subject: [keycloak-user] Authenticating to a client with another client's
>> service account
>>
>> Hi all,
>>
>> I have registered two clients in my Keycloak, one is an API (ID =
>> client_api) and another is a confidential client (ID =
>> confidential_client), which is a standalone application that should access
>> the API with its own credentials.
>> I've set the access type of both API and application to "confidential".
>>
>> >From the application, I obtain a token with a POST to
>> https://keycloak-server/auth/realms/master/protocol/openid-connect/token
>> with these parameters:
>>
>> client_id = confidential_client
>> client_secret = <confidential client secret> grant_type =
>> client_credentials
>>
>> >From this, I obtain a token, that looks like this:
>> {
>>    "access_token": "eyJhbG...Z0qmQ"
>>    // other stuff
>> }
>>
>> Then, I try to call my API with an authentication header with
>>
>> Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step)
>>
>> However, this does not seem to work, and the API acts like the user is not
>> authenticated.
>> Any idea of what I'm doing wrong?
>>
>> Thanks,
>> Paolo
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list