I remember some discussions about this on the ML but I couldn't find a concluding answer.

I have a scenario where I need users from a realm "B" to be able to use an application

that lives in realm "A".

In the concrete use case I have a "B-user" registered in realm "B" that needs to access

an application X from realm "A".

"B-user" is already authenticated in keycloak and accesses the application X in realm "A".

Since the user is not authenticated with realm "A" the user gets redirected to realm "A"s login.

Now I want to make it possible to login the "B-user"either transparently or by clicking on a link

"login with B" such that he can use application X.

Note that I want to avoid showing B's login.

Is this possible at all?

I thought that this might be possible by defining a Keycloak Identity provider for realm B.

In order to test this I did the following:

I created two realms A and B - each with it's own realm user A-user and B-user respectively

then I defined a new identity provider of type Keycloak OpenID Connect (keycloak-oidc) with the following settings:

Alias: Realm B

Enabled: On

Authenticate by default: On

First Login Flow: first broker login

Post Login flow: --empty--

Client ID: account (account application in realm A)

Client Secret: fa0c8747-8ea5-43f0-acbd-fea47ad6bab8 (account application in realm A)

In "Mappers" I defined a "user-role-mapper" as a "Hardcoded Role" with "account.view-profile".

As an example app I use the account client that exists in both realms.

Now I login to realm-b and access the account app:

If I now browse to:

I get a redirect to:

which results in a page indicating:

We're sorry ...

Invalid parameter: redirect_uri

« Back to Application

Did I do anything wrong here? Why is the redirect_uri invalid?

Cheers,

Thomas