Description

With many realms access tokens for the master realm becomes very large. In addition when creating a new realm, the new realms roles will not be in the token, requiring getting a new token after the realm is created.

For admin-cli and security-admin-console there is a work-around for the above, where instead of checking roles in the token for these clients the user and client scope is checked directly. However, this solution only applies to those clients, and is not available to other applications.

A proper solution to this issue would be to support lightweight access tokens (where the roles are not added to the token) when invoking the Admin REST APIs. This should be done by introspecting the token, to get the effective roles for a given token (including considering any scopes).

It would also be important to check the audience when using lightweight access tokens, to make sure the token is indeed intended to be used to invoke the Admin REST APIs.

An additional nice to do as part of this would be to remove the current work-around for admin-cli and security-admin-console, and instead use lightweight access tokens.

Discussion

No response

Motivation

No response

Details

No response