6

I have a question regarding Keycloak and obtaining an Access Token.

Our setup is as follows: · users are created and maintained in Keycloak · resources, policies and permissions are also maintained in Keycloak

Our use case is:

As a third party application, I want to obtain authorization information (e.g. resource- and scope-based permissions) for a specific user by only providing the username to Keycloak, so I can allow or prohibit further actions.

To be more specific: In our application the need to validate each request to other services based on the access token.But we have only the user name with us.

The question is now:

> How can we obtain an access token for the user by only knowing the username ?

> Is there a solution to obtain an access token for such a user?

basith
  • 740
  • 4
  • 13
  • 26

2 Answers2

4

You don't specify in your question if the current user is logged in. Are you validating user specific actions, or you want to retrieve user roles for the application instead?

The user is logged in and he is performing some action

I suppose you're using some keycloak adapter. Then just retrieve the session object and you should have the extra info somewhere in there.

If not, you can just parse the request yourself. When using OpenId Connect, the access token is always sent for each of the requests, in the Authorization header. The token is base64 encoded, you can decode the token yourself.

The application is performing some action for some registered user, without him logged in

User access tokens are meant to provide permissions for users. As you say in your question: As a third party application, I want... so here you are not acting as a logged user, but as an application, so you need to go with client credentials instead. Just give the client permissions to list all the users and their roles (probably it's enough with the view-users role, see the link below) and log in with client credentials grant. Then you can handle fine grained permissions in your application business logic.

See also:

Aritz
  • 30,971
  • 16
  • 136
  • 217
  • this seems very dangerous. You are recommending to generate a token for the user that can list all other users. If that ever gets returned to a public client they can possibly use it to call other endpoints that list the users. It seems like a common scenario to need to generate access token systematically scoped to a users access. Impersonation is probably the right answer or a custom keycloak SPI. – George Jan 21 '23 at 21:39
  • @George, nope. It is a client which logs-in with client credentials, not a user. Client credentials are never meant to be handled in a public way, neither in an standard web flow authentication fashion: https://stackoverflow.com/a/41781426/1199132 – Aritz Jan 21 '23 at 22:07
1

For those who really needs to impersonate a user from a client, there is a new RFC for this : token-echange.

Keycloak loosely implement it at the time of this answer

See particularly https://www.keycloak.org/docs/latest/securing_apps/#direct-naked-impersonation

Community
  • 1
  • 1
Gab
  • 7,869
  • 4
  • 37
  • 68