Is Keycloak really an OAuth authorization server?

jrobinss · October 14, 2021, 9:53am

Hi, sorry for the clickbait title , but I’m curious about this…

Keycloak is obviously defined as both authn and authz server, oauth and OIDC.
Keycloak is obviously a fully-fledged authentication server, OIDC.

However there are 2 things that make me wonder about Keycloak as an authorization server:

Token exchange is only available as preview feature, but it is a key feature for an OAuth authz server: exchange an id token for an access token
Returned token contains audience aud=client as defined by OIDC, not aud=server-id as defined by OAuth (to return aud=serverid, it needs to be defined in the mappers as an audience constant, which works but doesn’t look like something that was foreward thought)

This leads me to think I’m missing something.

Thanks for any tips

douglasawh · November 3, 2021, 9:57pm

FWIW, the word “authorization” never appears on the homepage of https://www.keycloak.org/

I’m not an OIDC expert, but I think maybe the preview feature you mention is why they don’t use the word.

xgp · November 4, 2021, 1:30pm

jrobinss · November 5, 2021, 2:41pm

Actually that really doesn’t address my concerns. I am aware that these exist and I have played around with them.

Topic		Replies	Views
Keycloak just as Authorization Server	14	3233	March 8, 2022
How does keycloak login works with external oauth2 authorization server Getting advice	2	1439	December 10, 2022
OAuth2 IDP instead of OIDC Configuring the server authentication , identity-brokering , oidc	1	1314	October 3, 2020
Is there plan to add token exchange as fully supported feature? Getting advice identity-brokering , user-federation , oidc	0	624	May 9, 2022
Token Exchange availability Getting advice	14	4332	November 25, 2021