Keycloak has 3 different clients: public, confidential and bearer.
I understand that bearer clients cannot obtain tokens and it is mainly for verification. But what confusing me is in keycloak, the bearer client can have a client secret, in which possible scenario can the client secret of a bearer can be used?
Related
I’d like to have 2 identity providers, e.g.:
Keycloak will be my main provider (some users will be here)
External provider will be my second provider (I’ll receive the bearer token directly)
In a future I could have more external providers.
So the idea is:
The resource server (Spring Security 5 resource-server) will receive the Bearer Token, sometimes is a Keycloak token, sometimes is an external token.
Is it possible to delegate every token to Keycloak it will discovers which is the provider and validate against them?
Bearer Token from Keycloak: 1234
Bearer Token from external provider: 5678
Client (sends Bearer 1234) -> Resource Server (Spring Boot MS) -> Keycloak -> Valid Token
Client (sends Bearer 5678) -> Resource Server (Spring Boot MS) -> Keycloak -> Valid Token in External Provider
Thank in advance
What are the main differences between grant types "urn:ietf:params:oauth:grant-type:jwt-bearer (https://www.rfc-editor.org/rfc/rfc7523) and "urn:ietf:params:oauth:grant-type:token-exchange" (https://www.rfc-editor.org/rfc/rfc8693).
"urn:ietf:params:oauth:grant-type:jwt-bearer" is a URN defined as a JWT Bearer Token by OAuth 2.0 Authorization server (uses OAuth2.0 Authorization grant type ).
"urn:ietf:params:oauth:grant-type:token-exchange" is a URN defined as a JWT Bearer Token by OAuth 2.0 Authorization server (uses OAuth2.0 Token Exchange grant type).
Notes:
jwt-bearer means whoever bearing the JWT token shall be given access to the requested resource.
token-exchange is basically used for user impersonation and delegation purpose. Typically used by a support person who exchange his/ her JWT bearer token to impersonate as an end-user to request the end-user's resource to help in live-debugging of issue (or) exchange another JWT bearer token for a given token for a downstream systems.
I use [JWT for Client Authentication][1] in [Keycloak][2]:
POST /token.oauth2 HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=vAZEIHjQTHuGgaSvyW9hO0RpusLzkvTOww3trZBxZpo&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A
client-assertion-type%3Ajwt-bearer&
client_assertion=eyJhbGciOiJSUzI1NiJ9.
eyJpc3Mi[...omitted for brevity...].
cC4hiUPo[...omitted for brevity...]
I get :
assess_token
refresh_token
token_type
expires_in
When I try to refresh token I send refresh_token itself, grant type refresh_token and get:
"error": "unauthorized_client",
"error_description": "INVALID_CREDENTIALS: Invalid client credentials"
}```
when I specify `client_id` I get:
```{
"error": "invalid_client",
"error_description": "Parameter client_assertion_type is missing"
}```
If I specify `client_assertion_type` I get error that `client_assertion` itself is missing, so I literally have to provide parameters I provided when retrieved access token.
How that refreshing process actually should work?
[1]: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bearer-12#section-2.2
[2]: https://www.keycloak.org
This could very well be a limitation or policy defined by Keycloak. RFC7523 (JWT for Client Authentication) does allow to enable client credentials when JWT authentication is present. This is highlighted from 3.1. Authorization Grant Processing
JWT authorization grants may be used with or without client
authentication or identification. Whether or not client
authentication is needed in conjunction with a JWT authorization
grant, as well as the supported types of client authentication, are
policy decisions at the discretion of the authorization server.
However, if client credentials are present in the request, the
authorization server MUST validate them.
So even if Keycloak support JWT client authentication, it may still require client credentials to be present in the refresh token request. But also, it could be a limitation from their end.
Additionally, token refresh is defined through RFC6749 - The OAuth 2.0 Authorization Framework. According to it's section 6, refresh token request must contain client credentials when client is a confidential client (simply a client which was created with id and a password). If what you seen is not a limitation, then guess Keycloak adhere to RFC6749 and require you to send client credentials in token refresh request.
I need to test OAUTH 1.0 API testing with Jmeter.
Can anyone please guide me how to test OAUTH 1.0 API's testing with JMETER.
We are passing 4 static keys Consumer Key, Consumer secret, Token and Token Secret
Where do I need to pass these values?
You need to pass Consumer Key and Consumer Secret to OAuth Temporary Credentials Acquisition endpoint, you will get OAuth Token and Token Secret as the response
Once done you need to pass the aforementioned OAuth Token and Token Secret to the Authorization Endpoint - you will get the Access Token
Add HTTP Header Manager as a child of the request and configure it like:
Name: `Authorization`
Value: `Bearer ${Access Token from Step 2}`
You might also need to sign the requests by encrypting the message with one of the following mechanisms:
HMAC-SHA1
RSA-SHA1
or if you are lucky your server will accept plain text requests (unlikely)
References:
OAuth Authorization Flow
OAuth Core 1.0
How to Run Performance Tests on OAuth Secured Apps with JMeter
I have questions.
Does WSO2 support something similar to:
https://docs.wso2.com/display/AM190/Exchanging+SAML2+Bearer+Tokens+with+OAuth2+-+SAML+Extension+Grant+Type
using JWT instead of SAML?
Is it possible to achieve it using Facebook/Google as Federated identity provider?
And another one:
Can we use JWT token instead of OAuth2 Access Token in WSO2 Api Manager to authorize incoming requests?
Thanks
Does WSO2 support something similar to:
https://docs.wso2.com/display/AM190/Exchanging+SAML2+Bearer+Tokens+with+OAuth2+-+SAML+Extension+Grant+Type
using JWT instead of SAML?
Yes, it does. We have the JWT Bearer Grant implementation for this. The idea behind JWT Grant is that a signed JWT valid according to [1] issued by a trusted IDP can be exchanged for an access_token. Follow [2] to try out the JWT Bearer Grant.
Facebook and Google do issue JWTs in the form of id_token. But there's a problem with using those id_token as a JWT Bearer Grant at the moment. According to the spec[1], the JWT Bearer Grant must contain some value in the 'aud' claim to let the entity that validates the bearer grant that it was intended to them. At present we cannot do this with any OpenID Connect provider ie. there is no standard way to request a OIDC provider to give us a token that we can use at 'X' identity provider.
Can we use JWT token instead of OAuth2 Access Token in WSO2 Api
Manager to authorize incoming requests?
AFAIK, this is not possible out of the box. One solution would be to use the JWT to get an access token using the JWT Bearer grant type. And then use the access_token APIM.
[1] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bearer-12#section-3
[2] https://docs.wso2.com/display/ISCONNECTORS/JWT+Grant+Type+for+OAuth2