[keycloak-user] Token Exchange AWS Cognito & Keycloak

Pedro Igor Silva psilva at redhat.com
Wed Apr 10 09:40:41 EDT 2019 

Hi,

So you are doing external to internal exchange. It is not clear to me how
you configured AWS Cognito as an identity provider and what/how the SRP
flow works. Could you provide more details, please? Is the token issued by
Cognito a JWT ?

In addition to that, how your token exchange request looks like when using
both id_token and access_token as a subject_token ?

On Wed, Apr 10, 2019 at 9:56 AM Matteo Restelli <mrestelli at cuebiq.com>
wrote:

> Any news on that?
>
> Thank you!
> Matteo
>
> =============================
>
>
> Hi all,
> We're using AWS Cognito as our Identity provider for our platform. We're
> trying to use an internal instance of Keycloak, in order to check the
> possibility to use KC for authorization purposes (this because Keycloak has
> a wonderful and powerful authorization system that fulfill our needs, and
> for that i want to say you "Thank you very much" :) ). For this reason we
> want to use the token exchange feature of Keycloak.
> More specifically we want to follow this flow:
>
> - User authenticates on AWS Cognito via SRP auth flow (which basically is
> not a standard OIDC/OAuth2 authentication flow)
> - User sends the access token to contact the backend service and, in the
> middle, this token is translated to an internal one, minted by Keycloak
>
> If we provide the AWS Cognito access token to the token exchange endpoint,
> with the subject_token_type parameter set to
> "urn:ietf:params:oauth:token-type:access_token", an error is returned
> stating that the access token doesn't contain the "openid" scope. Despite
> this we've tried another way, providing the id token to the token exchange
> endpoint with the subject_token_parameter set to
> "urn:ietf:params:oauth:token-type:id_token", and we discovered that this
> alternative way works. So, my questions are:
>
> - Is the "exchange with id token" approach a feasible and good one? Or is
> completely a bad approach?
> - From an OIDC point of view, can be a right approach accessing a backend
> resource from a single page application, using an id token? I've always
> read that if you want to access to a backend resource, from a client
> application, is better to use the access token, because the id token
> contains a lot of user informations and must be used only by the client
> application
>
> Thank you very much,
> Matteo
>
>
> PS:  As a side note, i want to clarify that if we follow an authorization
> code grant flow, or an implicit flow, during the authentication against AWS
> Cognito, the access token exchange works as expected. So this means that
> the problem is related to the shape of the token released by Cognito.
>
> --
>
> Like <https://www.facebook.com/cuebiq/> I Follow
> <https://twitter.com/Cuebiq>I Connect
> <https://www.linkedin.com/company/cuebiq>
>
>
> This email is reserved
> exclusively for sending and receiving messages inherent working activities,
> and is not intended nor authorized for personal use. Therefore, any
> outgoing messages or incoming response messages will be treated as company
> messages and will be subject to the corporate IT policy and may possibly to
> be read by persons other than by the subscriber of the box. Confidential
> information may be contained in this message. If you are not the address
> indicated in this message, please do not copy or deliver this message to
> anyone. In such case, you should notify the sender immediately and delete
> the original message.
>
> --
>
> Like <https://www.facebook.com/cuebiq/> I Follow
> <https://twitter.com/Cuebiq>I Connect
> <https://www.linkedin.com/company/cuebiq>
>
>
> This email is reserved
> exclusively for sending and receiving messages inherent working
> activities,
> and is not intended nor authorized for personal use. Therefore, any
> outgoing messages or incoming response messages will be treated as company
> messages and will be subject to the corporate IT policy and may possibly
> to
> be read by persons other than by the subscriber of the box. Confidential
> information may be contained in this message. If you are not the address
> indicated in this message, please do not copy or deliver this message to
> anyone. In such case, you should notify the sender immediately and delete
> the original message.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list