[keycloak-user] Restricting audience when using service-to-service calls

Matthias O weissbiermuggerl at gmail.com
Mon Mar 11 06:10:28 EDT 2019


Hi,

I have a scenario where I want allow a client (let's call it C1) to access
a service S1 which in turn needs to call a method in "internal" service S2.
So it looks kind of like this:

C1 -> S1 -> S2

The way I understand it, I would create a client scope for C1 which adds S1
and S2 as an audience to the access token.

However, I don't want C1 to be able to call the S2 services directly. So,
the access token for C1 should actually be restricted only to audience S1.

Is there any way to accomplish that? The token exchange would probably be
one solution, but as it is a technology preview I'm hesistant to use it in
production.

Thanks,
Matthias


More information about the keycloak-user mailing list