Replies: 1 comment
-
|
Another relevant spec might be transaction tokens: https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/ We are looking into possibly deploying this standard. It is exactly suited to external-internal exchanges. It is designed for the case you mention in the beginning of the document: a gateway receives an external request and authenticates utilizing trust established with some external trust domain(s). Then, it issues an internal token. Except instead of an access token, which is typically relatively broadly scoped and longer lived, it issues a "transaction token" which is specifically scoped to a single transaction. It is also designed to be passed along a call chain intentionally, whereas with access tokens this is kind of an abuse of bearer tokens and doesn't work with sender-constrained tokens. It's an interesting spec! We are trying to figure out if we should use it, and what should issue the token? Keycloak is one option we are wondering about. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
In Keycloak 26.2, there is support added for standard token exchange for exchanging internal Keycloak token for other internal Keycloak token.
We want to follow with additional use-cases . The external-internal is possible next step, which is widely used by the Keycloak community and hence we want to continue with this one and possibly make it supported. Started the Google docs with some details for support external-internal token exchange here https://docs.google.com/document/d/1hmUpMfvAwyRBvUhCD01IEGNjx1yIh9a8FpGCQlmrOno/edit?tab=t.0#heading=h.6cy1y354szys . Feedback welcome! Feel free to comment in the Google document or in this discussion.
Beta Was this translation helpful? Give feedback.
All reactions