[keycloak-user] Token Exchange AWS Cognito & Keycloak
Matteo Restelli
mrestelli at cuebiq.com
Wed Apr 10 08:51:24 EDT 2019
Hi all,
We're using AWS Cognito as our Identity provider for our platform. We're
trying to use an internal instance of Keycloak, in order to check the
possibility to use KC for authorization purposes (this because Keycloak has
a wonderful and powerful authorization system that fulfill our needs, and
for that i want to say you "Thank you very much" :) ). For this reason we
want to use the token exchange feature of Keycloak.
More specifically we want to follow this flow:
- User authenticates on AWS Cognito via SRP auth flow (which basically is
not a standard OIDC/OAuth2 authentication flow)
- User sends the access token to contact the backend service and, in the
middle, this token is translated to an internal one, minted by Keycloak
If we provide the AWS Cognito access token to the token exchange endpoint,
with the subject_token_type parameter set to
"urn:ietf:params:oauth:token-type:access_token", an error is returned
stating that the access token doesn't contain the "openid" scope. Despite
this we've tried another way, providing the id token to the token exchange
endpoint with the subject_token_parameter set to
"urn:ietf:params:oauth:token-type:id_token", and we discovered that this
alternative way works. So, my questions are:
- Is the "exchange with id token" approach a feasible and good one? Or is
completely a bad approach?
- From an OIDC point of view, can be a right approach accessing a backend
resource from a single page application, using an id token? I've always
read that if you want to access to a backend resource, from a client
application, is better to use the access token, because the id token
contains a lot of user informations and must be used only by the client
application
Thank you very much,
Matteo
PS: As a side note, i want to clarify that if we follow an authorization
code grant flow, or an implicit flow, during the authentication against AWS
Cognito, the access token exchange works as expected. So this means that
the problem is related to the shape of the token released by Cognito.
--
Like <https://www.facebook.com/cuebiq/> I Follow
<https://twitter.com/Cuebiq>I Connect
<https://www.linkedin.com/company/cuebiq>
This email is reserved
exclusively for sending and receiving messages inherent working activities,
and is not intended nor authorized for personal use. Therefore, any
outgoing messages or incoming response messages will be treated as company
messages and will be subject to the corporate IT policy and may possibly to
be read by persons other than by the subscriber of the box. Confidential
information may be contained in this message. If you are not the address
indicated in this message, please do not copy or deliver this message to
anyone. In such case, you should notify the sender immediately and delete
the original message.
More information about the keycloak-user
mailing list