Replies: 7 comments 7 replies
-
Other authorization servers supporting the grantWe could find the following servers supporting the grant:
|
Beta Was this translation helpful? Give feedback.
-
Any feedback on that? Here is another summary what it is for: Here is the case how we would use it: |
Beta Was this translation helpful? Give feedback.
-
I work for MITRE and one of my projects has the need to utilize JWTs as authorization grants much like the use case described above. We have a reference implementation for this feature that we'd like to push up to the community.
In this implementation the existing 'impersonate' permission is utilized to determine if the client is authorized to perform this grant type. |
Beta Was this translation helpful? Give feedback.
-
@ben95cd Can't we solve this better by building it on top of the token exchange? The mechanics in 7523 look kinda similar to how 8693 works. In fact, the SPI you are proposing is something we need to enable in token exchange so that people can extend the feature without having to base their implementation on top of the default token exchange provider. The I don't know but there is an overlap between the two. For instance, both are based on 7521. Being 8693 a more recent standard, don't you think it supersedes 7523? |
Beta Was this translation helpful? Give feedback.
-
I'm trying to implement https://circleci.com/docs/openid-connect-tokens/ with Keycloak, so that code running in a CI pipeline can exchange a CircleCI token for a JWT impersonating a user or for an auto-generated user matching the metadata in the CircleCI token (which has all the info on git repo, branch etc.). Can this proposal solve that use case too? Or what would be right way to implement that? Much appreciated! |
Beta Was this translation helpful? Give feedback.
-
We have a use case where we want to generate a PDF by visiting a webpage with Puppeteer from within an API. To be able to do this, Puppeteer must be authorized for the given page. We want to reuse the session / token of the user that requests the PDF. Will this RFC address such a use case? Or are there alternative methods of solving this issue? Thank you! |
Beta Was this translation helpful? Give feedback.
-
Hi, I have a usecase where I need to be able to support both client credentials as the JWT Bearer Authorization grant. However this is not yet implemented I believe ? JWT Bearer assertion (authentication) does not cover our needs. Thank you! |
Beta Was this translation helpful? Give feedback.
-
Summary
Keycloak supports "Using JWTs for Client Authentication" from RFC 7523.
The same RFC also defines "Using JWTs as Authorization Grants":
When this is supported, the client can use grant_type
urn:ietf:params:oauth:grant-type:jwt-bearer
. The client sends a JWT token asassertion
and may request a specific OAuth scope. The JWT token contains thesub
claim which specifies the user for the resulting access token.In this discussion we would like to receive feedback on the idea to support this grant at Keycloak and also on the options how it could be supported.
Option 1: Generic support
Use case: Trust a client application to handle user authentication
The grant is useful if user authentication should be handled completely by a client instead of the authorization server. The client can issue the tokens on its own and get an access token for any user.
Possible implementation at Keycloak:
Support at Keycloak requires configuration of a trusted issuer and its public key or public Key JWKS endpoint. The JWT bearer grant would be enabled at a client by configuring a set of trusted issuer configurations
Benefits:
Option 2: Support for OIDC ID tokens of configured Identity providers
Use case: Allow silent authorization by accepting OpenId Connect ID tokens
In this use case a client wants to use a valid OpenId Connect ID token to prove user authentication, without the need of any user interaction like login or consent.
The client can not just get an access token for any use. It needs to obtain an ID token through regular OIDC login.
Possible implementation at Keycloak:
Keycloak already has OIDC IdP configurations for identity brokering. The JWT bearer grant would be enabled at a client by configuring a set of Keycloak OIDC IdPs. Such a client can then use a valid IdP ID token frokm one of these IdPs to get an access token for a user.
Benefits:
Beta Was this translation helpful? Give feedback.
All reactions