[keycloak-user] Authenticating to a client with another client's service account
Schuster Sebastian (INST/ESY1)
Sebastian.Schuster at bosch-si.com
Tue Mar 27 08:11:16 EDT 2018
A resource parameter was for example described in this OAuth2 spec draft: https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators-02
Currently, the OAuth2 guys are discussing this in the context of the distributed OAuth2 spec, see https://www.ietf.org/mail-archive/web/oauth/current/msg17817.html
But I don't know the details, so I am not sure this is relevant...
Best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn
-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda
Sent: Montag, 26. März 2018 20:35
To: Pedro Igor Silva <psilva at redhat.com>; Paolo Tedesco <Paolo.Tedesco at cern.ch>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Authenticating to a client with another client's service account
Yes, as Pedro mentioned, I hope that better audience support will be available in Keycloak master in next few weeks (or months), so in some next beta, it should be available. JIRA is
https://issues.jboss.org/browse/KEYCLOAK-6638 .
Question: This parameter "resource=client_id_of_the_api" seems to be ADFS specific parameter? Or is it mentioned in some specification? We plan to support better audience support through "scope" parameter or have it available by default (depends on where admin defines protocolMapper for audience).
Thanks,
Marek
On 26/03/18 14:01, Pedro Igor Silva wrote:
> This is something we are not doing correctly where access tokens are
> always created with the client as the audience and not the resource
> server / target service.
>
> Marek can give more insights about this but I think this should be
> fixed by the work he is doing around Client Scopes.
>
> Another alternative is use token exchange [1].
>
> [1]
> http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-ex
> change
>
> Regards.
> Pedro Igor
>
> On Fri, Mar 23, 2018 at 12:53 PM, Paolo Tedesco
> <Paolo.Tedesco at cern.ch>
> wrote:
>
>> I've found out that the problem was in the audience validation of my API.
>> The access token I get from keycloak when I authenticate my
>> confidential client has always
>>
>> aud = confidential_client_id
>>
>> How am I supposed to get a token with a difference audience value?
>> I tried specifying in the POST request to the token endpoint
>>
>> resource = client_id_of_the_api
>>
>> which works with ADFS 2016, but seems to be ignored by Keycloak.
>>
>> Thanks,
>> Paolo
>>
>> -----Original Message-----
>> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.
>> jboss.org> On Behalf Of Paolo Tedesco
>> Sent: Friday, 23 March, 2018 11:11
>> To: keycloak-user at lists.jboss.org
>> Subject: [keycloak-user] Authenticating to a client with another
>> client's service account
>>
>> Hi all,
>>
>> I have registered two clients in my Keycloak, one is an API (ID =
>> client_api) and another is a confidential client (ID =
>> confidential_client), which is a standalone application that should
>> access the API with its own credentials.
>> I've set the access type of both API and application to "confidential".
>>
>> >From the application, I obtain a token with a POST to
>> https://keycloak-server/auth/realms/master/protocol/openid-connect/to
>> ken
>> with these parameters:
>>
>> client_id = confidential_client
>> client_secret = <confidential client secret> grant_type =
>> client_credentials
>>
>> >From this, I obtain a token, that looks like this:
>> {
>> "access_token": "eyJhbG...Z0qmQ"
>> // other stuff
>> }
>>
>> Then, I try to call my API with an authentication header with
>>
>> Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step)
>>
>> However, this does not seem to work, and the API acts like the user
>> is not authenticated.
>> Any idea of what I'm doing wrong?
>>
>> Thanks,
>> Paolo
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list