[keycloak-user] Restricting audience when using service-to-service calls

Matthias O weissbiermuggerl at gmail.com
Mon Mar 11 11:55:54 EDT 2019


Thanks, Stian. That's what I thought. We need the user details and
firewalling is not an option.

Do you have any concerns using the token exchange in a production system?

Am Mo., 11. März 2019 um 12:52 Uhr schrieb Stian Thorgersen <
sthorger at redhat.com>:

> Depends if you want S1 -> S2 to include the user details. If you do then
> your options are:
>
> * Use token exchange
> * Allow C1 to invoke S2
> * Firewall S2 so C1 can't access it
>
> If you don't then S1 can use a service account to be allowed to invoke S2
> without passing on the token from C1.
>
> On Mon, 11 Mar 2019 at 11:19, Matthias O <weissbiermuggerl at gmail.com>
> wrote:
>
>> Hi,
>>
>> I have a scenario where I want allow a client (let's call it C1) to access
>> a service S1 which in turn needs to call a method in "internal" service
>> S2.
>> So it looks kind of like this:
>>
>> C1 -> S1 -> S2
>>
>> The way I understand it, I would create a client scope for C1 which adds
>> S1
>> and S2 as an audience to the access token.
>>
>> However, I don't want C1 to be able to call the S2 services directly. So,
>> the access token for C1 should actually be restricted only to audience S1.
>>
>> Is there any way to accomplish that? The token exchange would probably be
>> one solution, but as it is a technology preview I'm hesistant to use it in
>> production.
>>
>> Thanks,
>> Matthias
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>


More information about the keycloak-user mailing list