We have support for identity brokering, but not sure if that helps with
your usecase. As if I understand correctly, you have token for B and you
want to access API protected by A with the B-token, right?
If you don't want to use multitenancy for some reason, I think you may
have to validate token by yourself and your application side instead of
using our adapters. As even if A and B use the same publicKey for token
verification, the issuer in the B-Token will be different though, so our
adapter (which verifies the issuer) will fail.
Also you can implement your own directGrant authenticator in the
Keycloak-A, which will allow you to authenticate with the b-token (sent
to it in some parameter) and then return you back the a-token, which you
can then validate. Defacto exchange b-token for a-token. See
Authentication SPI docs for more details.
On 24/01/17 12:14, Alexander Chriztopher wrote:
Actually, we dont' want our API to know the B instance.
Is there any other solution (am thinking about brokering between A and
B and creating a client for instance B in instance A etc.) ?
And yes, A and B are not in a cluster for organisation matters.
On Tue, Jan 24, 2017 at 11:25 AM, Marek Posolda <mposolda(a)redhat.com
I assume that Keycloak instances A and B are not in cluster? If
you can put them in cluster, you will have this supported OOTB.
Also did you see our multitenancy feature and multi-tenant
example? This allows that application (API) is protected by both
instance A or B. So based on the token from the request, you will
see if you should use keycloak A or B to validate token.
On 24/01/17 11:05, Alexander Chriztopher wrote:
Am looking for the flow to get an access token with OIDC and 2
instances (A and B).
User is Known by instance B and gets an access token from
instance B then
needs to access an API protected with instance A.
What would be the best way to do it ?
Thanks for any help.
keycloak-user mailing list