Closed mlchai closed 2 years ago
The documentation is mentioning the OAuth2 Client and recommends accessing the long-lived token by using JWT-authentication on the specific client since (as described here: ). From my own experience ClientSecrets are getting leaked more often than private keys. That is the reason why it was mentioned. I do not have any experience using Azure AD myself all I know is what other people are telling me. And so far I was told that Azure AD does only support accessing a SCIM service by registering long lived tokens. But generating such long lived tokens is never a good idea. Just assume an attacker will manage to get a hold of a single token that is still valid for over 200 days or so. You will not know it and the attacker is happy for getting such a long lived token.
Regarding the instructions in the wiki located here: https://github.com/Captain-P-Goldfish/scim-for-keycloak/wiki/Use-with-Microsoft-Azure-AD
At step 5, it gives a powerscript for generating an access token if you're using client ID and client secret, but also early on in the document it recommends using a signed JWT. Just wondering what steps need to be taken to generate that JWT to input into azure ad if needed.