Re: [keycloak-user] Brokering with OIDC and Direct Access Grant

Tuesday, 24 January 2017

We have support for identity brokering, but not sure if that helps with 
your usecase. As if I understand correctly, you have token for B and you 
want to access API protected by A with the B-token, right?

If you don't want to use multitenancy for some reason, I think you may 
have to validate token by yourself and your application side instead of 
using our adapters. As even if A and B use the same publicKey for token 
verification, the issuer in the B-Token will be different though, so our 
adapter (which verifies the issuer) will fail.

Also you can implement your own directGrant authenticator in the 
Keycloak-A, which will allow you to authenticate with the b-token (sent 
to it in some parameter) and then return you back the a-token, which you 
can then validate. Defacto exchange b-token for a-token. See 
Authentication SPI docs for more details.

Marek

On 24/01/17 12:14, Alexander Chriztopher wrote:
...
 Actually, we dont' want our API to know the B instance.

 Is there any other solution (am thinking about brokering between A and 
 B and creating a client for instance B in instance A etc.) ?

 And yes, A and B are not in a cluster for organisation matters.

 On Tue, Jan 24, 2017 at 11:25 AM, Marek Posolda <mposolda(a)redhat.com 
 <mailto:mposolda@redhat.com>> wrote:

     I assume that Keycloak instances A and B are not in cluster? If
     you can put them in cluster, you will have this supported OOTB.

     Also did you see our multitenancy feature and multi-tenant
     example? This allows that application (API) is protected by both
     instance A or B. So based on the token from the request, you will
     see if you should use keycloak A or B to validate token.

     Marek

     On 24/01/17 11:05, Alexander Chriztopher wrote:

         Hello,

         Am looking for the flow to get an access token with OIDC and 2
         Keycloak
         instances (A and B).

         User is Known by instance B and gets an access token from
         instance B then
         needs to access an API protected with instance A.

         What would be the best way to do it ?

         Thanks for any help.
         _______________________________________________
         keycloak-user mailing list
         keycloak-user(a)lists.jboss.org
         <mailto:keycloak-user@lists.jboss.org>
         https://lists.jboss.org/mailman/listinfo/keycloak-user
         <https://lists.jboss.org/mailman/listinfo/keycloak-user>

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014