Hi, sorry for the clickbait title , but I’m curious about this…
Keycloak is obviously defined as both authn and authz server, oauth and OIDC.
Keycloak is obviously a fully-fledged authentication server, OIDC.
However there are 2 things that make me wonder about Keycloak as an authorization server:
- Token exchange is only available as preview feature, but it is a key feature for an OAuth authz server: exchange an id token for an access token
- Returned token contains audience aud=client as defined by OIDC, not aud=server-id as defined by OAuth (to return aud=serverid, it needs to be defined in the mappers as an audience constant, which works but doesn’t look like something that was foreward thought)
This leads me to think I’m missing something.
Thanks for any tips