Re: [keycloak-user] [EXTERNAL] Re: Alternative to Kerberos & Custom Use Case

Hi Leandro, I’ve successfully executed the internal to internal token exchange as the starting client and target client both are in the same realm. When trying the external to internal token exchange however, I’m finding it a bit challenging because I’m always getting the “invalid token” error. I have done the following configuration using 2 Keycloak Instances: KC1 has client “choco” in realm “demo”. KC2 has client “vanilla” in realm “demo2”. KC2 is configured as an IdP for KC1 with the alias “keycloak-oidc”. I’ve configured the client policy for “keycloak-oidc” with the client “choco”. I’m not sure how to configure the client “choco” as the target client (vanilla) is not in the same realm. So now, if I want to use the externally minted token from KC2 for the internal token in KC1, I’m sending a post request like this: For getting the subject token I’m logging into “vanilla” using user u2: http://localhost:8280/auth/realms/demo2/protocol/openid-connect/token username:u2 password:u2 client_id:vanilla grant_type:password client_secret:geheim I get an access token “ X” using this from “demo2” realm in KC2. Using this access token X, I’m trying to get an internal KC token for “choco” in realm “demo” on KC1: http://localhost:8180/auth/realms/demo/protocol/openid-connect/token client_id:choco client_secret:geheim grant_type:urn:ietf:params:oauth:grant-type:token-exchange subject_token:token X subject_issuer:keycloak-oidc subject_token_type:urn:ietf:params:oauth:token-type:access_token requested_token_type:urn:ietf:params:oauth:token-type:access_token audience:vanilla But I get the “invalid token” error. Am I making a mistake somewhere? Please help. Regards, Aditya From: Leandro Del Sole <leandrodelsole(a)gmail.com&gt; Date: Tuesday, August 6, 2019 at 5:11 PM To: Aditya Bhole <Aditya.Bhole(a)veritas.com&gt; Cc: &quot;keycloak-user(a)lists.jboss.org&quot; <keycloak-user(a)lists.jboss.org&gt; Subject: [EXTERNAL] Re: [keycloak-user] Alternative to Kerberos & Custom Use Case I think what you're looking for is: https://www.keycloak.org/docs/latest/securing_apps/index.html#external-to... Probably this specific part: https://www.keycloak.org/docs/latest/securing_apps/index.html#external-to... It's worth reading all the possibilites to see which fit betters for your case. I'm glad to hear if there are better options to achieve this, I have a similar scenario here. Em ter, 6 de ago de 2019 às 20:48, Aditya Bhole <Aditya.Bhole@veritas.com<mailto:Aditya.Bhole@veritas.com>> escreveu: Hi, Are there any other mechanisms in Keycloak apart from Kerberos which can establish something similar to a cross realm trust? Also, consider this use case: We have App A and App B. App A and App B may have different Keycloak instances or maybe in different realms of the same Keycloak instance. User logs into App A. He clicks on a button in App A which is supposed to take him to App B. The user now has a JWT when he logged into App A. Now App B knows that all the redirects are going to be from App A. So can App B verify the token through App A? Regards, Aditya _______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user