Hello Hannah, you're welcome,
Seems like your initial approach (Client Credentials grant aka service account) makes
perfect sense. With the only one exception: you don't need that roundabout with
authenticating service account and exchanging tokens. As the mapper code is executed on
behalf of Keycloak, you're free to generate any token you want programmatically using
Keycloak internal APIs.
This is how Keycloak produces access token in response to Client Credentials grant
request:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
This is where it ends up inside a TokenManager:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
I think your code could be a simplified combination thereof. You need to construct a truly
minimal access token without creating user sessions and stuff. I hope I'll be able to
spend some time on a PoC this week.
On the other hand, the overall workflow seems a little cumbersome to me. Do you really
need to invoke an external REST service each time your mapper is called, which could
become a serious performance penalty? Maybe it would be sufficient to do it just once,
during login, and then simply propagate the data to the tokens?
Could you please elaborate on the overall problem and what you're trying to achieve?
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Thu, 2018-11-15 at 10:13 +0000, Hannah Short wrote:
Hi Dmitry,
Thanks for your help!
> Just to make it clear: is your API secured by the same Keycloak instance? does it
belong to the same realm?
Yes, both the same Keycloak instance and realm.
For the offline tokens approach, I’ve understood that they can only be generated
programatically, and for a user. In our case this would be an offline token for the API
(we could create a user to “own" this token) - is there a way to generate tokens
through the Keycloak UI?
Cheers,
Hannah
> > > On 14 Nov 2018, at 19:27, Dmitry Telegin <dt(a)acutus.pro> wrote:
>
> Hello Hannah,
>
> Just to make it clear: is your API secured by the same Keycloak instance? does it
belong to the same realm?
>
> If so, this is probably a use case for offline tokens and/or impersonation. The idea
is, the mapper is executed with Keycloak's privileges, hence no need to perform
"honest" authentication; you can in fact produce any token you need to act on
behalf of another identity.
>
> However, I'd also suggest that you try to "short-circuit" the whole
operation, maybe with the help of RMI/RPC. Is that possible? REST has more overhead, which
can come to the fore under high load.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info(a)acutus.pro
>
> On Wed, 2018-11-14 at 11:24 +0000, Hannah Short wrote:
> > Hi,
> >
> > I’d like to deploy a custom OIDC Protocol Mapper that is itself a client of
Keycloak. Is this possible?
> >
> > The objective is for the mapper to be able to call an API that is protected
also by Keycloak.
> >
> > The current approach was for the mapper to use the Client Credentials flow to
authenticate, exchange the access token for one for the API client, and use it to call the
API. This works OK until I deploy the mapper to Keycloak, where it throws various
exceptions and does not seem to attempt the Client Credentials flow.
> >
> > Any guidance, including alternative approaches, would be appreciated!
> >
> > Cheers,
> > Hannah
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-user