Description

This functionality is described here: https://www.keycloak.org/docs/latest/server_admin/index.html#credential-delegation

It is documented with some warnings, although it is not very specific

Credential delegation has security implications, so use it only if necessary and only with HTTPS.

Value Proposition

Simplifying the KC code base, and using safe-by-default features. The feature as we offer it today is only available to Java applications.

Not sure if such a feature is still in use today, and by how many.

Goals

• Deprecate the functionality
• Later remove the functionality

Non-Goals

• Kerberos as such should still be supported

Discussion

No response

Notes

It seems that forwardable vs. non-forwardable tokens (delegation) is something that is common for Kerberos, but my knowledge on it is limited.

I might be missing something here, and maybe it is both safe and commonly used. If this is the case, then please disregard.