[prev in list] [next in list] [prev in thread] [next in thread] 

List:       keycloak-dev
Subject:    [keycloak-dev] Control over audience parameter in JWT token
From:       erik.mulder () docdatapayments ! com (Erik Mulder)
Date:       2015-12-31 11:42:43
Message-ID: 9A5619B792BBA041AE094585791BB71C013B9D4BE4AC () DDPEX01 ! DDP ! dcloud ! local
[Download RAW message or body]

In the JWT token there is a field 'aud', or audience, which function is to state for \
which client(s) that token is intended. Currently (TokenManager:433) this is set to \
the client id:

token.audience(client.getClientId());

This seems fine in general, but we would like to have a token with multiple entries \
in the audience field. This is possible and an array value is even claimed to be the \
'general case': https://tools.ietf.org/html/rfc7519#section-4.1.3 (where one single \
value is the 'special case')

Background is that we have a Keycloak running for a login of a frontend that talks to \
multiple different resource servers. We'd prefer to use one token for all of those \
resource servers. The resource servers use Spring Security, which explicitly checks \
that the 'name' you give to your Spring service is matched by (a value of) the \
audience field of the JWT token. So now we have to give all resource servers the same \
'name', which doesn't feel right.

So we need some way to influence the value of the audience field. This could be \
achieved by following this RFC: \
https://tools.ietf.org/html/draft-tschofenig-oauth-audience-00 which suggests to \
include a parameter to the request for the token. But that RFC does not consider \
multiple values for the audience. Another option would be to add an audience field in \
the settings of a Client in Keycloak. Which would, if set, define the audience field \
of the JWT token. This could be a comma separated string value that would translate \
to a JSON array. A question about this could be: 'then where to leave the client \
id?'. As suggested by this: \
https://stackoverflow.com/questions/32013835/client-id-or-multiple-audiences-in-json-web-token \
the best place to put the client id is in the 'azp' field (authorized party).

<https://tools.ietf.org/html/draft-tschofenig-oauth-audience-00>Does the KeyCloak \
team see this as a valuable addition? Will it be implemented somewhere in the future? \
Or can we make a pull request ourselves that will be merged?

Thanks, Erik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151231/d519a122/attachment.html \



[prev in list] [next in list] [prev in thread] [next in thread]