Limiting the access granted to access tokens
As access tokens get passed around from the application to services, it is important to limit the access granted. Otherwise, any access token could potentially be used to access any resource the user has access to.
There are a few different strategies that can be used to limit access for a specific access token. These include the following:
- Audience: Allows listing the resource providers that should accept an access token.
- Roles: Through controlling what roles a client has access to, it is possible to control what roles an application can access on behalf of the user.
- Scope: In Keycloak, scopes are created through client scopes, and an application can only have access to a specific list of scopes. Furthermore, when applications require consent, the user must also grant access to the scope.
Let's go through these one at a time and see exactly how this can be done with Keycloak, starting with audience.