I am studying on the keycloak authorization service (which claims to be UMA2 compatible)
In a single realm, when i define 2 clients (client_a, client_b).
client_a with authorization service enabled.
Any client (e.g. client_b) can request access token for those clients, with authorization service enabled (e.g. client_a), with it’s service account / a valid access token issued (for client_b) by setting the parameter ‘audience=${client_a}’
Sample curl command to reproduce the problem:
curl -v -k https://{server_url}/auth/realms/{realm}/protocol/openid-connect/token -H “Authorization: Basic Y2xpZW50X2E6MTIzNDU2Nzg=” --data “grant_type=urn:ietf:params:oauth:grant-type:uma-ticket” --data “audience=client_a”
JWT access token received:
{
“exp”: 1595908213,
“iat”: 1595907913,
“jti”: “eae2618b-ab23-4426-a382-834d41937caf”,
“iss”: “https://{server_url}/auth/realms/{realm}”,
“aud”: “client_a”,
“sub”: “c8454602-f8c0-410c-8e54-fd0c4a82107b”,
“typ”: “Bearer”,
“azp”: “client_b”,
“session_state”: “935d5497-c1a7-4f43-8456-4142f55c4892”,
“acr”: “1”,
“authorization”: {
“permissions”: [
{
“rsid”: “ee69c285-a93e-4dd5-a6f0-fcb5920b7d72”,
“rsname”: “Default Resource”
}
]
},
“scope”: “profile email”,
“clientHost”: “192.168.0.123”,
“clientId”: “client_a”,
“email_verified”: false,
“preferred_username”: “service-account-client_b”,
“clientAddress”: “192.168.0.123”,
}
this should be a security flaw that, client_b can basically access to all the API of client_a (which is supposed to be protected with JWT token [e.g. aud = client_a])
And it bypass some authenticator of the login flow, e.g. client_a requst OTP in the login flow [resource owner password grant], but now, user login client_b [open client] can use his/her access token to request access token to client_a.
so, i want to ask you guys’ opinion about this…is my observation / description of the issue correct?
thx.