Is Keycloak really an OAuth authorization server?

Hi, sorry for the clickbait title :wink:, but I’m curious about this…

Keycloak is obviously defined as both authn and authz server, oauth and OIDC.
Keycloak is obviously a fully-fledged authentication server, OIDC.

However there are 2 things that make me wonder about Keycloak as an authorization server:

  • Token exchange is only available as preview feature, but it is a key feature for an OAuth authz server: exchange an id token for an access token
  • Returned token contains audience aud=client as defined by OIDC, not aud=server-id as defined by OAuth (to return aud=serverid, it needs to be defined in the mappers as an audience constant, which works but doesn’t look like something that was foreward thought)

This leads me to think I’m missing something.

Thanks for any tips

1 Like

FWIW, the word “authorization” never appears on the homepage of https://www.keycloak.org/

I’m not an OIDC expert, but I think maybe the preview feature you mention is why they don’t use the word.

1 Like

https://www.keycloak.org/docs/latest/authorization_services/

Actually that really doesn’t address my concerns. I am aware that these exist and I have played around with them.