[keycloak-user] Authenticated Protocol Mapper?

Sun Nov 18 19:05:10 EST 2018

Hello Hannah, you're welcome,

Seems like your initial approach (Client Credentials grant aka service account) makes perfect sense. With the only one exception: you don't need that roundabout with authenticating service account and exchanging tokens. As the mapper code is executed on behalf of Keycloak, you're free to generate any token you want programmatically using Keycloak internal APIs.

This is how Keycloak produces access token in response to Client Credentials grant request:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java#L585

This is where it ends up inside a TokenManager:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L606

I think your code could be a simplified combination thereof. You need to construct a truly minimal access token without creating user sessions and stuff. I hope I'll be able to spend some time on a PoC this week.

On the other hand, the overall workflow seems a little cumbersome to me. Do you really need to invoke an external REST service each time your mapper is called, which could become a serious performance penalty? Maybe it would be sufficient to do it just once, during login, and then simply propagate the data to the tokens?
Could you please elaborate on the overall problem and what you're trying to achieve?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2018-11-15 at 10:13 +0000, Hannah Short wrote:
> Hi Dmitry, 
> 
> Thanks for your help!
> 
> > Just to make it clear: is your API secured by the same Keycloak instance? does it belong to the same realm?
> 
> Yes, both the same Keycloak instance and realm.
> 
> For the offline tokens approach, I’ve understood that they can only be generated programatically, and for a user. In our case this would be an offline token for the API (we could create a user to “own" this token) - is there a way to generate tokens through the Keycloak UI? 
> 
> Cheers,
> Hannah
> 
> > > > On 14 Nov 2018, at 19:27, Dmitry Telegin <dt at acutus.pro> wrote:
> > 
> > Hello Hannah,
> > 
> > Just to make it clear: is your API secured by the same Keycloak instance? does it belong to the same realm?
> > 
> > If so, this is probably a use case for offline tokens and/or impersonation. The idea is, the mapper is executed with Keycloak's privileges, hence no need to perform "honest" authentication; you can in fact produce any token you need to act on behalf of another identity.
> > 
> > However, I'd also suggest that you try to "short-circuit" the whole operation, maybe with the help of RMI/RPC. Is that possible? REST has more overhead, which can come to the fore under high load.
> > 
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > On Wed, 2018-11-14 at 11:24 +0000, Hannah Short wrote:
> > > Hi, 
> > > 
> > > I’d like to deploy a custom OIDC Protocol Mapper that is itself a client of Keycloak. Is this possible? 
> > > 
> > > The objective is for the mapper to be able to call an API that is protected also by Keycloak.
> > > 
> > > The current approach was for the mapper to use the Client Credentials flow to authenticate, exchange the access token for one for the API client, and use it to call the API. This works OK until I deploy the mapper to Keycloak, where it throws various exceptions and does not seem to attempt the Client Credentials flow.
> > > 
> > > Any guidance, including alternative approaches, would be appreciated!
> > > 
> > > Cheers,
> > > Hannah
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 