Replies: 1 comment 1 reply
-
|
Added pull request #10761. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
change pull-request because of changes in main. New Pull Request is #10984 |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Using the java built admin-client we encountered the problem that it is not possible to add a scope to the token request of TokenManger.
Use-case:
We have an IAM administration micro-service in our infrastructure to protect the keycloak REST-API. Also to make the usage transparent to internal services, which might authenticate by other means.
To be able to use different realms, there is a single client in the master realm with "admin" role. The access of the dedicated keycloak-client instance then is restricted by scopes not having the "role" mapper, nor the "audience resolver", but dedicated roles and audience mappers for each and every xxx-realm client.
This way the token requested for the administrative client will only get the roles and the audience for the specific client.
Problem:
The admin-clients can either allow to add a token on instantiation, which works fine, but would need to recreate the instance every time the token expires; or to add client credentials to use the TokenManger which would refresh tokens if needed.
The token of that admin-client is to large, when using the "roles"-mapper, because all the realms clients role would be added to the token, but when scoped, it would always be only the one realm client roles available.
So if we could change the
keycloak/integration/admin-client/src/main/java/org/keycloak/admin/client/token/TokenManager.java
Line 77 in 6ebad26
method, to add a scope to the request.
Beta Was this translation helpful? Give feedback.
All reactions