Re: [keycloak-user] Authenticated Protocol Mapper?
Hello Hannah,
Just to make it clear: is your API secured by the same Keycloak instance? does it belong
to the same realm?
If so, this is probably a use case for offline tokens and/or impersonation. The idea is,
the mapper is executed with Keycloak's privileges, hence no need to perform
"honest" authentication; you can in fact produce any token you need to act on
behalf of another identity.
However, I'd also suggest that you try to "short-circuit" the whole
operation, maybe with the help of RMI/RPC. Is that possible? REST has more overhead, which
can come to the fore under high load.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Wed, 2018-11-14 at 11:24 +0000, Hannah Short wrote:
Hi,
I’d like to deploy a custom OIDC Protocol Mapper that is itself a client of Keycloak. Is
this possible?
The objective is for the mapper to be able to call an API that is protected also by
Keycloak.
The current approach was for the mapper to use the Client Credentials flow to
authenticate, exchange the access token for one for the API client, and use it to call the
API. This works OK until I deploy the mapper to Keycloak, where it throws various
exceptions and does not seem to attempt the Client Credentials flow.
Any guidance, including alternative approaches, would be appreciated!
Cheers,
Hannah
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user