Authorization Grants #43152
Description
Description
Authorization Grants opens up a lot of use-cases allowing applications that have tokens issued by a third-party to obtain access tokens issued by Keycloak.
Example use-cases include:
- Applications that authenticate with an external IdP can access resources secured by Keycloak
- Applications secured by Keycloak can access resources secured by an external IdP
- SaaS solutions can also provide access to resources through federation with an external IdP
A simplified view of the flow involved:
---
config:
mirrorActors: false
---
sequenceDiagram
box Domain A
participant C as Client
participant TS as Token Service
participant KC as Keycloak
participant RS as REST API
end
C->>TS: Request assertion
TS->>C: Assertion
C->>KC: Token request, with assertion
KC->>C: Token response
C->>RS: Request with token
Value Proposition
Enables various cross-application or cross-security domain use-cases
Goals
- Provide a trust relationship with external IdPs and STS services through identity providers
- Support JSON Web Token Profile for OAuth 2.0 Client Authentication and Authorization Grants
- Allow security policies to be defined at the trust relationship to control what users, clients, audiences, scopes, and roles are permitted
- Allow clients to use assertions issued by a trusted provider to obtain access tokens issued by Keycloak
Non-Goals
- Support Security Assertion Markup Language 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants - this is out of scope for now
Discussion
No response
Notes
No response