11:25 p.m.
Can I get a pointer to any admin api endpoints to enable permissions for an
identity provider to perform token exchange, and an endpoint to create the
client policy for the permission?
Firstly, I know this would all do away if I create identity providers and
redirect to Keycloak to handle the whole oauth process... but then I think
that would break all the existing redirect urls I have provided to the
external oauth services, so I'm reluctant to do that. I'd prefer a behind
the scenes migration.
So, my use case is that I have existing site with server code that
authenticates users with external services then grants access to the site.
I have migrated all the internal users to a Keycloak auth, and now I'm
looking at how to exchange the tokens from the external service for valid
Keycloak tokens.
Following the steps from the documents, I can automate the following steps
* create an identity provider fro the external service, and fill in all the
endpoint and client ids
* lookup the existing user (they are guaranteed to exist) and link them to
the new IDP
* < this is the missing step for automations >
* perform the token exchange, which now works OK with my Google test user
My problem is that I need to enable the permissions, and create the policy
to allow the IDP to do token exchange; and I have not found which API
endpoints will do that.
Can someone point me at the right documents, or a keyword to search form in
the Admin REST API document?
Thanks,
James
----
*James Mitchell*
Developer
e: jamesm(a)suitebox.com
w: www.suitebox.com
*SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
5:05 p.m.
Clicking through the UI I can see that all the things I need appear under
the system client "realm-management".
So I need to create the following items for that client's Authorization
* Scope - simple "token-exchange"
* Policy - link to the client that I am using for the token exchange
* Resources - a resource for each identity provider, type "Identity
Provider" and scope "token-exchange"
* Permission - one for each resource (idp) linking the resource, the scope,
and the policy
So now I need to find the Admin API for client Authorization Scopes,
Policy, Resources, and Permissions
Are these endpoint in the Keycloak Admin REST API documentation?
Thanks,
James
----
*James Mitchell*
Developer
e: jamesm(a)suitebox.com
w: www.suitebox.com
*SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
On Wed, 4 Sep 2019 at 16:25, James Mitchell <jamesm(a)suitebox.com> wrote:
Can I get a pointer to any admin api endpoints to enable permissions
for
an identity provider to perform token exchange, and an endpoint to create
the client policy for the permission?
Firstly, I know this would all do away if I create identity providers and
redirect to Keycloak to handle the whole oauth process... but then I think
that would break all the existing redirect urls I have provided to the
external oauth services, so I'm reluctant to do that. I'd prefer a behind
the scenes migration.
So, my use case is that I have existing site with server code that
authenticates users with external services then grants access to the site.
I have migrated all the internal users to a Keycloak auth, and now I'm
looking at how to exchange the tokens from the external service for valid
Keycloak tokens.
Following the steps from the documents, I can automate the following steps
* create an identity provider fro the external service, and fill in all
the endpoint and client ids
* lookup the existing user (they are guaranteed to exist) and link them to
the new IDP
* < this is the missing step for automations >
* perform the token exchange, which now works OK with my Google test user
My problem is that I need to enable the permissions, and create the policy
to allow the IDP to do token exchange; and I have not found which API
endpoints will do that.
Can someone point me at the right documents, or a keyword to search form
in the Admin REST API document?
Thanks,
James
----
*James Mitchell*
Developer
e: jamesm(a)suitebox.com
w: www.suitebox.com
*SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
5:28 p.m.
... and using the browser dev tools to look at network calls I can see the
endpoints being used are
/auth/admin/realms/{{realm}}/clients/{{client_id}}/authz/resource-server
----
*James Mitchell*
Developer
e: jamesm(a)suitebox.com
w: www.suitebox.com
*SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
On Thu, 5 Sep 2019 at 10:05, James Mitchell <jamesm(a)suitebox.com> wrote:
Clicking through the UI I can see that all the things I need appear
under
the system client "realm-management".
So I need to create the following items for that client's Authorization
* Scope - simple "token-exchange"
* Policy - link to the client that I am using for the token exchange
* Resources - a resource for each identity provider, type "Identity
Provider" and scope "token-exchange"
* Permission - one for each resource (idp) linking the resource, the
scope, and the policy
So now I need to find the Admin API for client Authorization Scopes,
Policy, Resources, and Permissions
Are these endpoint in the Keycloak Admin REST API documentation?
Thanks,
James
----
*James Mitchell*
Developer
e: jamesm(a)suitebox.com
w: www.suitebox.com
*SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
On Wed, 4 Sep 2019 at 16:25, James Mitchell <jamesm(a)suitebox.com> wrote:
> Can I get a pointer to any admin api endpoints to enable permissions for
> an identity provider to perform token exchange, and an endpoint to create
> the client policy for the permission?
>
> Firstly, I know this would all do away if I create identity providers and
> redirect to Keycloak to handle the whole oauth process... but then I think
> that would break all the existing redirect urls I have provided to the
> external oauth services, so I'm reluctant to do that. I'd prefer a behind
> the scenes migration.
>
> So, my use case is that I have existing site with server code that
> authenticates users with external services then grants access to the site.
> I have migrated all the internal users to a Keycloak auth, and now I'm
> looking at how to exchange the tokens from the external service for valid
> Keycloak tokens.
>
> Following the steps from the documents, I can automate the following steps
> * create an identity provider fro the external service, and fill in all
> the endpoint and client ids
> * lookup the existing user (they are guaranteed to exist) and link them
> to the new IDP
> * < this is the missing step for automations >
> * perform the token exchange, which now works OK with my Google test user
>
> My problem is that I need to enable the permissions, and create the
> policy to allow the IDP to do token exchange; and I have not found which
> API endpoints will do that.
>
> Can someone point me at the right documents, or a keyword to search form
> in the Admin REST API document?
>
> Thanks,
> James
>
>
> ----
>
> *James Mitchell*
>
> Developer
>
> e: jamesm(a)suitebox.com
>
> w: www.suitebox.com
>
>
> *SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
>
5:45 p.m.
Hi James,
yes, those are part of the authorization services and can be found in the
Keycloak Admin REST API docs. Look for ResourceRepresentation,
ResourceServerRepresentation, PolicyRepresentation, for example.
On Wed, Sep 4, 2019 at 7:07 PM James Mitchell <jamesm(a)suitebox.com> wrote:
Clicking through the UI I can see that all the things I need appear
under
the system client "realm-management".
So I need to create the following items for that client's Authorization
* Scope - simple "token-exchange"
* Policy - link to the client that I am using for the token exchange
* Resources - a resource for each identity provider, type "Identity
Provider" and scope "token-exchange"
* Permission - one for each resource (idp) linking the resource, the scope,
and the policy
So now I need to find the Admin API for client Authorization Scopes,
Policy, Resources, and Permissions
Are these endpoint in the Keycloak Admin REST API documentation?
Thanks,
James
----
*James Mitchell*
Developer
e: jamesm(a)suitebox.com
w: www.suitebox.com
*SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
On Wed, 4 Sep 2019 at 16:25, James Mitchell <jamesm(a)suitebox.com> wrote:
> Can I get a pointer to any admin api endpoints to enable permissions for
> an identity provider to perform token exchange, and an endpoint to create
> the client policy for the permission?
>
> Firstly, I know this would all do away if I create identity providers and
> redirect to Keycloak to handle the whole oauth process... but then I
think
> that would break all the existing redirect urls I have provided to the
> external oauth services, so I'm reluctant to do that. I'd prefer a behind
> the scenes migration.
>
> So, my use case is that I have existing site with server code that
> authenticates users with external services then grants access to the
site.
> I have migrated all the internal users to a Keycloak auth, and now I'm
> looking at how to exchange the tokens from the external service for valid
> Keycloak tokens.
>
> Following the steps from the documents, I can automate the following
steps
> * create an identity provider fro the external service, and fill in all
> the endpoint and client ids
> * lookup the existing user (they are guaranteed to exist) and link them
to
> the new IDP
> * < this is the missing step for automations >
> * perform the token exchange, which now works OK with my Google test user
>
> My problem is that I need to enable the permissions, and create the
policy
> to allow the IDP to do token exchange; and I have not found which API
> endpoints will do that.
>
> Can someone point me at the right documents, or a keyword to search form
> in the Admin REST API document?
>
> Thanks,
> James
>
>
> ----
>
> *James Mitchell*
>
> Developer
>
> e: jamesm(a)suitebox.com
>
> w: www.suitebox.com
>
>
> *SuiteBox |* Level 4, 8 Mahuhu Crescent, Auckland 1010, NZ
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Stefan Guilhen
Principal Software Engineer
Red Hat <https://www.redhat.com/>
sguilhen(a)redhat.com IM: sguilhen
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://www.redhat.com/>
1941
days inactive
1941
days old
3 comments
2 participants
participants (2)
-
James Mitchell -
Stefan Guilhen