[keycloak-user] Brokering with OIDC and Direct Access Grant

Marek Posolda mposolda at redhat.com
Tue Jan 24 06:49:47 EST 2017 

We have support for identity brokering, but not sure if that helps with 
your usecase. As if I understand correctly, you have token for B and you 
want to access API protected by A with the B-token, right?

If you don't want to use multitenancy for some reason, I think you may 
have to validate token by yourself and your application side instead of 
using our adapters. As even if A and B use the same publicKey for token 
verification, the issuer in the B-Token will be different though, so our 
adapter (which verifies the issuer) will fail.

Also you can implement your own directGrant authenticator in the 
Keycloak-A, which will allow you to authenticate with the b-token (sent 
to it in some parameter) and then return you back the a-token, which you 
can then validate. Defacto exchange b-token for a-token. See 
Authentication SPI docs for more details.

Marek

On 24/01/17 12:14, Alexander Chriztopher wrote:
> Actually, we dont' want our API to know the B instance.
>
> Is there any other solution (am thinking about brokering between A and 
> B and creating a client for instance B in instance A etc.) ?
>
> And yes, A and B are not in a cluster for organisation matters.
>
> On Tue, Jan 24, 2017 at 11:25 AM, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     I assume that Keycloak instances A and B are not in cluster? If
>     you can put them in cluster, you will have this supported OOTB.
>
>     Also did you see our multitenancy feature and multi-tenant
>     example? This allows that application (API) is protected by both
>     instance A or B. So based on the token from the request, you will
>     see if you should use keycloak A or B to validate token.
>
>     Marek
>
>
>     On 24/01/17 11:05, Alexander Chriztopher wrote:
>
>         Hello,
>
>         Am looking for the flow to get an access token with OIDC and 2
>         Keycloak
>         instances (A and B).
>
>         User is Known by instance B and gets an access token from
>         instance B then
>         needs to access an API protected with instance A.
>
>         What would be the best way to do it ?
>
>         Thanks for any help.
>         _______________________________________________
>         keycloak-user mailing list
>         keycloak-user at lists.jboss.org
>         <mailto:keycloak-user at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>
>
>

More information about the keycloak-user mailing list