[keycloak-user] Token exchange: on-behalf-of + downgrade

Pedro Igor Silva psilva at redhat.com
Wed Feb 27 11:22:26 EST 2019 

IIRC, you can use a scope parameter when doing a token exchange. Other
aspects could be managed by setting up client scopes to your client
applications, did you try that ?

On Wed, Feb 27, 2019 at 12:59 PM Alexey Titorenko <titorenko at dtg.technology>
wrote:

> Hi Pedro!
>
> Thank you for answer!
>
> I’m would like to be able to control all aspects: audience, scope and
> roles.
>
> Today I also found that exchanged token may contain more roles than it is
> defined through on Scope tab for svc-1, if caller has some additional
> roles. So, after token echange svc-1 can have more rights than it would be
> possible without token exchange.
>
>
> Alexey.
>
> On 27 Feb 2019, at 18:50, Pedro Igor Silva <psilva at redhat.com> wrote:
>
> Hi,
>
> The token exchange should be the right tool. Are you trying to downgrade
> scopes or just remove the client roles that are not related with svc-2 ?
>
> Regards.
> Pedro Igor
>
> On Tue, Feb 26, 2019 at 5:33 AM Alexey Titorenko <titorenko at dtg.technology>
> wrote:
>
>> Hello guys.
>>
>> I would like to ask you help with the following. I’m currently looking at
>> on-behalf-of scenario with Keycloak. In this case we have ‘web app’ calling
>> ’svc-1’, which in turn calls another service ‘svc-2’. That is, we have:
>> web —> svc-1 —> svc-2.
>>
>> The idea is to let svc-2 know who is actual initiator of the call chain
>> (end-to-end identity propagation). The question is about how to do that
>> with Keycloak.
>>
>> First, in order to propagate caller identity we could exchange tokens in
>> ‘svc-1’. In this case we can have correct audience and, thus, control token
>> usage. Second, we need is to remove any excessive permissions (client
>> roles) that are not related to ‘svc-2’ call in order to reduce potential
>> harm in case this token is intercepted by someone.
>>
>> And if I know how to exchange tokens, I cannot find how to downgrade the
>> token during the exchange. As I see in documentation, ‘scope’ parameter is
>> not supported for token exchange.
>>
>>
>> So, my questions are:
>> Is token exchange a right tool for this task?
>> Is it possible to downgrade exchanged token? And how, if so?
>>
>>
>> Thank you,
>> Alexey
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

More information about the keycloak-user mailing list