[keycloak-user] Is there a way to use an OIDC IdP without any backchannel communication involved (like SAML 2.0 Web Browser SSO with HTTP-Post Binding)

Marek Posolda mposolda at redhat.com
Thu Jul 27 07:00:19 EDT 2017 

OIDC protocol has implicit flow and we support that in Keycloak. However 
we don't support that for our Identity providers. I see that 
AbstractOAuth2IdentityProvider.createAuthorizationUrl has hardcoded 
"response_type" to "code" . So you would need to create your own impl of 
Identity Provider and override that method. Probably some other methods 
would need to be overriden too (eg. for logout).

I would rather try to setup SSL and make Keycloak servers communicate 
with each other . We have truststore SPI, which is documented and 
hopefully can simplify it.


Marek

On 26/07/17 16:07, May Marcus, Bedag wrote:
> Hi,
>
> I'm looking into using Keycloak as a Broker in my SAAS platform to federate with foreign IdPs which aren't in my control.
>
> So my scenario is that:
> 1.      Customer navigates to his SP in my SAAS platform
> 2.      SP redirects him to my Keycloak in my SAAS platform
> 3.      Customer choses to login in with his IdP
> 4.      Keycloak redirects Customer to the login page of his IdP
> 5.      Customer accomplishes login to his IdP
> 6.      IdP redirects the Customer to my Keycloak
> 7.      My Keycloak provisions the user
> 8.      My Keycloak redirects the user to his SP in my SAAS platform
> 9.      SP accepts the login
>
> For a proof of concept I tried to implement this scenario with two Keycloak instances, which aren't and shouldn't be able to communicate with each other. The only thing that should communicate with both Keycloak instances is the user agent, because I don't want the hassle that I have to establish a for example two-way-ssl connection between my SAAS Keycloak and foreign IdP.
>
> My first attempt was using OpenID Connect, but then my SAAS Keycloak tried to get an access_token from the other Keycloak in step 7. That didn't work (as I expected and intended). So my question is: Is there a way to use an OIDC IdP without any backchannel communication involved?
>
> My second attempt was using SAML 2.0 Web Browser SSO with HTTP-Post Binding. That did work fine.
>
> Best regards
> Marcus
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list