[keycloak-user] Token exchange: on-behalf-of + downgrade

Pedro Igor Silva psilva at redhat.com
Wed Feb 27 10:50:51 EST 2019


The token exchange should be the right tool. Are you trying to downgrade
scopes or just remove the client roles that are not related with svc-2 ?

Pedro Igor

On Tue, Feb 26, 2019 at 5:33 AM Alexey Titorenko <titorenko at dtg.technology>

> Hello guys.
> I would like to ask you help with the following. I’m currently looking at
> on-behalf-of scenario with Keycloak. In this case we have ‘web app’ calling
> ’svc-1’, which in turn calls another service ‘svc-2’. That is, we have:
> web —> svc-1 —> svc-2.
> The idea is to let svc-2 know who is actual initiator of the call chain
> (end-to-end identity propagation). The question is about how to do that
> with Keycloak.
> First, in order to propagate caller identity we could exchange tokens in
> ‘svc-1’. In this case we can have correct audience and, thus, control token
> usage. Second, we need is to remove any excessive permissions (client
> roles) that are not related to ‘svc-2’ call in order to reduce potential
> harm in case this token is intercepted by someone.
> And if I know how to exchange tokens, I cannot find how to downgrade the
> token during the exchange. As I see in documentation, ‘scope’ parameter is
> not supported for token exchange.
> So, my questions are:
> Is token exchange a right tool for this task?
> Is it possible to downgrade exchanged token? And how, if so?
> Thank you,
> Alexey
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list