How can I force Keycloak to use an Authorization header when connecting to an identity provider's token...
I've configured Keycloak as an identity broker, connecting to a custom OIDC provider that I've created. During the authorization_code flow, Keycloak calls the authorization endpoint to get the code. It then calls the token endpoint of my custom OIDC provider to exchange the code for an auth token.
I observe that Keycloak passes the client_id and client_secret as parameters in the request body, instead of as a Basic Authorization header. I do not want to change the security configuration on my token endpoint. Is there a way to cause Keycloak to send token requests to IdPs using the Auth header?
Relevant Keycloak code appears to be in AbstractOAuth2IdentityProvider's generateTokenRequest method. This hard-codes the client-id and client-secret to be passed as params in the request body.
According to the OIDC specification, client_secret_basic is the default. I'd be surprised if this is not supported by Keycloak; I just can't seem to figure out how to configure it.
oauth-2.0 openid-connect keycloak oidc
add a comment |
I've configured Keycloak as an identity broker, connecting to a custom OIDC provider that I've created. During the authorization_code flow, Keycloak calls the authorization endpoint to get the code. It then calls the token endpoint of my custom OIDC provider to exchange the code for an auth token.
I observe that Keycloak passes the client_id and client_secret as parameters in the request body, instead of as a Basic Authorization header. I do not want to change the security configuration on my token endpoint. Is there a way to cause Keycloak to send token requests to IdPs using the Auth header?
Relevant Keycloak code appears to be in AbstractOAuth2IdentityProvider's generateTokenRequest method. This hard-codes the client-id and client-secret to be passed as params in the request body.
According to the OIDC specification, client_secret_basic is the default. I'd be surprised if this is not supported by Keycloak; I just can't seem to figure out how to configure it.
oauth-2.0 openid-connect keycloak oidc
add a comment |
I've configured Keycloak as an identity broker, connecting to a custom OIDC provider that I've created. During the authorization_code flow, Keycloak calls the authorization endpoint to get the code. It then calls the token endpoint of my custom OIDC provider to exchange the code for an auth token.
I observe that Keycloak passes the client_id and client_secret as parameters in the request body, instead of as a Basic Authorization header. I do not want to change the security configuration on my token endpoint. Is there a way to cause Keycloak to send token requests to IdPs using the Auth header?
Relevant Keycloak code appears to be in AbstractOAuth2IdentityProvider's generateTokenRequest method. This hard-codes the client-id and client-secret to be passed as params in the request body.
According to the OIDC specification, client_secret_basic is the default. I'd be surprised if this is not supported by Keycloak; I just can't seem to figure out how to configure it.
oauth-2.0 openid-connect keycloak oidc
I've configured Keycloak as an identity broker, connecting to a custom OIDC provider that I've created. During the authorization_code flow, Keycloak calls the authorization endpoint to get the code. It then calls the token endpoint of my custom OIDC provider to exchange the code for an auth token.
I observe that Keycloak passes the client_id and client_secret as parameters in the request body, instead of as a Basic Authorization header. I do not want to change the security configuration on my token endpoint. Is there a way to cause Keycloak to send token requests to IdPs using the Auth header?
Relevant Keycloak code appears to be in AbstractOAuth2IdentityProvider's generateTokenRequest method. This hard-codes the client-id and client-secret to be passed as params in the request body.
According to the OIDC specification, client_secret_basic is the default. I'd be surprised if this is not supported by Keycloak; I just can't seem to figure out how to configure it.
oauth-2.0 openid-connect keycloak oidc
oauth-2.0 openid-connect keycloak oidc
asked Nov 22 '18 at 23:52
MarkMark
1,3941227
1,3941227
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Unfortunately, this feature is not implemented.
Feature request: https://issues.jboss.org/browse/KEYCLOAK-5956
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53439204%2fhow-can-i-force-keycloak-to-use-an-authorization-header-when-connecting-to-an-id%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Unfortunately, this feature is not implemented.
Feature request: https://issues.jboss.org/browse/KEYCLOAK-5956
add a comment |
Unfortunately, this feature is not implemented.
Feature request: https://issues.jboss.org/browse/KEYCLOAK-5956
add a comment |
Unfortunately, this feature is not implemented.
Feature request: https://issues.jboss.org/browse/KEYCLOAK-5956
Unfortunately, this feature is not implemented.
Feature request: https://issues.jboss.org/browse/KEYCLOAK-5956
answered Dec 1 '18 at 21:41
Jan GarajJan Garaj
2,872620
2,872620
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53439204%2fhow-can-i-force-keycloak-to-use-an-authorization-header-when-connecting-to-an-id%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown