[keycloak-user] Restricting audience when using service-to-service calls

Stian Thorgersen sthorger at redhat.com
Mon Mar 11 07:52:35 EDT 2019


Depends if you want S1 -> S2 to include the user details. If you do then
your options are:

* Use token exchange
* Allow C1 to invoke S2
* Firewall S2 so C1 can't access it

If you don't then S1 can use a service account to be allowed to invoke S2
without passing on the token from C1.

On Mon, 11 Mar 2019 at 11:19, Matthias O <weissbiermuggerl at gmail.com> wrote:

> Hi,
>
> I have a scenario where I want allow a client (let's call it C1) to access
> a service S1 which in turn needs to call a method in "internal" service S2.
> So it looks kind of like this:
>
> C1 -> S1 -> S2
>
> The way I understand it, I would create a client scope for C1 which adds S1
> and S2 as an audience to the access token.
>
> However, I don't want C1 to be able to call the S2 services directly. So,
> the access token for C1 should actually be restricted only to audience S1.
>
> Is there any way to accomplish that? The token exchange would probably be
> one solution, but as it is a technology preview I'm hesistant to use it in
> production.
>
> Thanks,
> Matthias
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list