KeyCloak Access Token data Encryption

Hi, all!

Its my first post here! I hope to have collaborate with you with my doubts and answers.

I have a doubt using access tokens gererated a access_token with the data:

{
“jti”: “cdfdc923-79c4-4442-8655-591a2cde9a45”,
“exp”: 1570806211,
“nbf”: 0,
“iat”: 1570805911,
"iss": “http://localhost:8080/auth/realms/poc2-realm”,
"sub": “445f77f3-140e-48b7-9ddf-5e912b7e7008”,
“typ”: “Bearer”,
“azp”: “poc2-client”,
“auth_time”: 0,
"session_state": “f82bec67-6c6a-4c3c-92d4-e8bc566aba14”,
“acr”: “1”
},
“scope”: “profile email”,
“email_verified”: true,
“preferred_username”: “poc2-user”
}

My problem is that the fields like: iss, session_state between others; Cannot be exposed to the final client, because in my company point of view these data are very sensible.

I would like to encrypt these data, and present to the user something like:

{
my-token:[tuple above encrypted here]
}

Are there some function in keyCloak that realizes this task?

Thanks.
Paulo.

hi Paulo,

the client must know the value of iss otherwise they will not be able to direct traffic to keycloak to generate the token in the first instance?

when you say ‘final’ client, it sounds like client side you are passing the access token to client of origins unknown to keycloak and/or your resource server. if your iss is so sensitive that this is deemed insecure, is giving them the access token in the first place a good practice?

Simon.

Hi Simon, thanks for the answer.

When you said:

the client must know the value of iss otherwise they will not be able to direct traffic to keycloak to generate the token in the first instance?

Currently not because these data (like realm and keycloak urls), could be stored in a gateway or in a config service in the server side.
Keycloak is not queried directly by the final client and not has endpoints exposed publicly.

And when you said:

is giving them the access token in the first place a good practice?

My guessing is that the access_token with roles, iss, sub and other ‘sensitive’ data exposed to ‘final client’ seems not a good solution.

I am thinking in a solution that delivery to the ‘final client’ a kind of token that any service inside server-side structure sends a request using this token to keycloak it convert it in an access_token.
So the access_token will traffic only inside the server-side ecosystem.

My question is if Keycloak has a functionality or resource to delivery a token with no sensitive data that could be translated to the real access token.

Thanks.
Paulo

You could move the authentication from the user-facing frontend application to the backend that serves the frontend app, e.g. using keycloak-node-connect for an express server, thus the user will only get a cookie with a connect.sid entry, while credentials are managed in server-side sessions and never forwarded to the user agent.