<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
You have to create a client in your "top" realm for the "child"
idp. You must define a redirect uri in that client. I think that
is probably your problem.<br>
<br>
<div class="moz-cite-prefix">On 2/22/2016 4:26 PM, Thomas Darimont
wrote:<br>
</div>
<blockquote
cite="mid:CAK-7U1gfLD0QDxxJkX=SFfAF5T==7_BJdn9Fs+LvC9OCsFo0Mg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>I remember some discussions about this on the ML but I
couldn't find a concluding answer.<br>
</div>
<div><br>
</div>
<div>I have a scenario where I need users from a realm "B" to be
able to use an application</div>
<div>that lives in realm "A".</div>
<div><br>
</div>
<div>In the concrete use case I have a "B-user" registered in
realm "B" that needs to access</div>
<div>an application X from realm "A".</div>
<div>"B-user" is already authenticated in keycloak and accesses
the application X in realm "A".</div>
<div>Since the user is not authenticated with realm "A" the user
gets redirected to realm "A"s login.</div>
<div><br>
</div>
<div>Now I want to make it possible to login the "B-user"either
transparently or by clicking on a link </div>
<div>"login with B" such that he can use application X.</div>
<div><br>
</div>
<div>Note that I want to avoid showing B's login.</div>
<div><br>
</div>
<div>Is this possible at all?</div>
<div><br>
</div>
<div>I thought that this might be possible by defining a
Keycloak Identity provider for realm B.</div>
<div><br>
</div>
<div>In order to test this I did the following:</div>
<div><br>
</div>
<div>I created two realms A and B - each with it's own realm
user A-user and B-user respectively</div>
<div>then I defined a new identity provider of type Keycloak
OpenID Connect (keycloak-oidc) with the following settings:</div>
<div><br>
</div>
<div> Alias: Realm B</div>
<div> Enabled: On</div>
<div>Authenticate by default: On</div>
<div> First Login Flow: first broker login</div>
<div> Post Login flow: --empty--</div>
<div> Authorization URL: <a moz-do-not-send="true"
href="http://localhost:8081/auth/realms/b/protocol/openid-connect/auth">http://localhost:8081/auth/realms/b/protocol/openid-connect/auth</a></div>
<div> Token URL: <a moz-do-not-send="true"
href="http://localhost:8081/auth/realms/b/protocol/openid-connect/token">http://localhost:8081/auth/realms/b/protocol/openid-connect/token</a></div>
<div> Logout URL: <a moz-do-not-send="true"
href="http://localhost:8081/auth/realms/b/protocol/openid-connect/logout">http://localhost:8081/auth/realms/b/protocol/openid-connect/logout</a></div>
<div> User Info URL: <a moz-do-not-send="true"
href="http://localhost:8081/auth/realms/b/protocol/openid-connect/userinfo">http://localhost:8081/auth/realms/b/protocol/openid-connect/userinfo</a></div>
<div> Client ID: account (account
application in realm A)</div>
<div> Client Secret:
fa0c8747-8ea5-43f0-acbd-fea47ad6bab8 (account application in
realm A)</div>
<div><br>
</div>
<div>In "Mappers" I defined a "user-role-mapper" as a "Hardcoded
Role" with "account.view-profile".</div>
<div><br>
</div>
<div>As an example app I use the account client that exists in
both realms.</div>
<div><br>
</div>
<div>Now I login to realm-b and access the account app:</div>
<div><a moz-do-not-send="true"
href="http://localhost:8081/auth/realms/b/account">http://localhost:8081/auth/realms/b/account</a></div>
<div><br>
</div>
<div>If I now browse to:</div>
<div><a moz-do-not-send="true"
href="http://localhost:8081/auth/realms/a/account">http://localhost:8081/auth/realms/a/account</a></div>
<div><br>
</div>
<div>I get a redirect to:</div>
<div><a moz-do-not-send="true"
href="http://localhost:8081/auth/realms/b/protocol/openid-connect/auth?scope=openid&state=xvB9nevhQp6IhPJzN7-XfRwUI1250UINM-VvegnpNB0.44090b97-e6a2-448d-b453-60d967265cb4&response_type=code&client_id=account&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fauth%2Frealms%2Fa%2Fbroker%2FB%2Fendpoint">http://localhost:8081/auth/realms/b/protocol/openid-connect/auth?scope=openid&state=xvB9nevhQp6IhPJzN7-XfRwUI1250UINM-VvegnpNB0.44090b97-e6a2-448d-b453-60d967265cb4&response_type=code&client_id=account&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fauth%2Frealms%2Fa%2Fbroker%2FB%2Fendpoint</a></div>
<div><br>
</div>
<div>which results in a page indicating:</div>
<div><br>
</div>
<div> We're sorry ...</div>
<div><br>
</div>
<div> Invalid parameter: redirect_uri</div>
<div><br>
</div>
<div> « Back to Application</div>
<div><br>
</div>
<div>Back to application points to "<a moz-do-not-send="true"
href="http://localhost:8081/auth/realms/b/account">http://localhost:8081/auth/realms/b/account</a>"</div>
<div>Did I do anything wrong here? Why is the redirect_uri
invalid?</div>
<div><br>
</div>
<div>Cheers,</div>
<div>Thomas</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Bill Burke
JBoss, a division of Red Hat
<a class="moz-txt-link-freetext" href="http://bill.burkecentral.com">http://bill.burkecentral.com</a></pre>
</body>
</html>