[keycloak-user] Only bearer client and Authorization

[Ronaldo Hideki Yamada]

Hi, 

I have a following use case: 

One client A1 (web) makes a authentication code flow and gets a access_token. 

I want use this access token as Bearer token T1[azp=A1] in backend client B1 (api) with authorization enabled. 

And validate permissions on Resources#Scopes in client B1 mapped by client B1 RolePolicy 

I already gets work only if I add builtin protocol mapper "User Client Role" to first client A1 and insert client roles of B1 on token T1. 

But this largely increases size of access_token T1 and I have limit of 4k. 

How make Keycloak evaluate authz permissions [RolePolicy] aganist User client role on internal Database, instead information on first token T1? 




Ronaldo Hideki Yamada 

-


"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco."

"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure."