[keycloak-user] Http CIP and Client's Access Token

Alexey Titorenko titorenko at dtg.technology
Wed Feb 6 05:27:41 EST 2019

Hello guys!

Could someone please help me with my investigation of PolicyEnforcer?

I’m currently checking how ‘http’ claim information point is working.

Let’s imagine typical situation when some client calls service, which, it turn, uses ‘http’ CIP. That is, we have following scheme:  CLIENT -> Service -> ClaimSerivce

The question is about the token, which is used to call ClaimService. I would expect, that Service should get its own token which provides access to ClaimService. But I see, that it uses CLIENT’s token. Which imho means, that:
Client knows from his token about this ClaimService although he shouldn’t from the security point of view. Although, it some schemes it may be required, I agree. But not always.
Service calls ClaimService using not his own rights, but client’s rights, which makes it more difficult to control and audit access. 
Usage of ClaimService is an internal detail of the Service and may change at any time. In this case we need to reconfigure tokens for all clients calling Service, which is, again, not good.

What do you think about this? Am I right or wrong? Or should we consider OOTB 'http' CIP as a reference only?

Also, http CIP does not support path parameters, which is typical situation for REST. Only query parameters.


More information about the keycloak-user mailing list