Support for exchanging from access token/id token to SAML 2.0 assertion

[Hiroyuki Wada]

Hi,

Currently, the implementation of token exchange in keycloak doesn't support exchanging from access token/id token to SAML 2.0 assertion which is defined as "urn:ietf:params:oauth:token-type:saml2" token type in https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16.

Our use-case, for example, is that integration with AWS STS which accepts SAML token.

I found similar issues in JIRA. But it seems that they are for exchanging from SAML to access token/id token.

- https://issues.redhat.com/browse/KEYCLOAK-13031

- https://issues.redhat.com/browse/KEYCLOAK-14064

I'd like to propose adding this feature, is a pull request for it welcomed?

Best regards,

--

Hiroyuki Wada

[Stian Thorgersen]

I would say so yes. Would be good to have support for "urn:ietf:params:oauth:token-type:saml2" in request, subject and actor tokens, if we want to expand into supporting SAML as well.

Can you elaborate a bit more on the AWS STS use-case you are referring to? Does it validate a SAML assertion issued by Keycloak, to then issue tokens for AWS resources?

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/c3d6f762-6d2c-42eb-a6d6-b05d48cbd638%40googlegroups.com.

[Hiroyuki Wada]

Thank you for your comment.

Is it OK to create a new JIRA ticket for supporting this use-case (from id token or access token to SAML 2.0 assertion)?

> Can you elaborate a bit more on the AWS STS use-case you are referring to? Does it validate a SAML assertion issued by Keycloak, to then issue tokens for AWS resources?

The SAML assertion is validated by AWS STS for issuing AWS credentials. The example sequence is below:

1. End-user logins to keycloak then an OAuth client gets an access token which is issued by the keycloak server.

2. The client exchanges from the access token to SAML assertion for AWS through the token exchange endpoint of keycloak.

3. The client sends the SAML assertion to AWS STS. AWS STS returns temporary credentials if the SAML assertion is valid.

4. Finally, the client can use the temporary credentials for calling AWS resources like S3.

Also, the following image will be helpful to understand this use-case.

https://github.com/openstandia/aws-cli-oidc/blob/master/flow-with-saml2.png

Best regards,

2020年5月8日金曜日 16時11分27秒 UTC+9 Stian Thorgersen:

I would say so yes. Would be good to have support for "urn:ietf:params:oauth:token-type:saml2" in request, subject and actor tokens, if we want to expand into supporting SAML as well.

Can you elaborate a bit more on the AWS STS use-case you are referring to? Does it validate a SAML assertion issued by Keycloak, to then issue tokens for AWS resources?

On Thu, 7 May 2020 at 03:21, Hiroyuki Wada <wada...@gmail.com> wrote:

Hi,

Currently, the implementation of token exchange in keycloak doesn't support exchanging from access token/id token to SAML 2.0 assertion which is defined as "urn:ietf:params:oauth:token-type:saml2" token type in https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16.

Our use-case, for example, is that integration with AWS STS which accepts SAML token.

I found similar issues in JIRA. But it seems that they are for exchanging from SAML to access token/id token.

- https://issues.redhat.com/browse/KEYCLOAK-13031

- https://issues.redhat.com/browse/KEYCLOAK-14064

I'd like to propose adding this feature, is a pull request for it welcomed?

Best regards,

--

Hiroyuki Wada

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keyclo...@googlegroups.com.

[Stian Thorgersen]

On Fri, 8 May 2020 at 10:57, Hiroyuki Wada <wada...@gmail.com> wrote:

Thank you for your comment.

Is it OK to create a new JIRA ticket for supporting this use-case (from id token or access token to SAML 2.0 assertion)?

Works for me.

Have you looked into how this could be achieved by the way?

 

To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/4d263a6b-33f1-402f-9ada-e0d031a9645c%40googlegroups.com.

[Hiroyuki Wada]

I created a JIRA ticket: https://issues.redhat.com/browse/KEYCLOAK-14113

However, I noticed the current implementation rejects id token as the subject_token regardless of the requested_token_type during prototyping.

The following code accepts access_token only.

https://github.com/keycloak/keycloak/blob/6332ed42c03c52b47e9f14af87aac3592959f06f/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java#L749-L752

Supporting id_token as the subject_token is not directly related to SAML 2.0 token support, so I thought over it is better to do it with another ticket.

> Have you looked into how this could be achieved by the way?

I think the easiest way is to reuse the existing SAMLProtocol class. The following code is the prototype.

https://github.com/openstandia/keycloak/commit/26c0cd4237967cf3940158403ef80fd592f4872a#diff-ec5f9626f53934cdc3ad494e198f1902R971-R994

The original SAMLProtocol#authenticated method returns SAMLResponse. I created the sub-class which returns SAMLAssertion only for the token exchange.

Best regards,

2020年5月8日金曜日 21時26分40秒 UTC+9 Stian Thorgersen:

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/4d263a6b-33f1-402f-9ada-e0d031a9645c%40googlegroups.com.