We don't have brokering for directGrant flow though. You would need to
code authenticator by yourself.
Maybe I would do something like the authenticator where you can send the
parameters like for example
You will create new directGrant flow and you will put your authenticator
to it. Your authenticator will then do something like:
- Check if there is "external_idp=true" parameter. If not, then just
passthrough to other authenticators in the chain to do classic
directGrant login against "local" Keycloak server (like default
directGrant flow do)
- Then check the parameters external_username and external_passsword to
login against your Keycloak B (Assuming you know where Keycloak B is and
what is the desired clientId of Keycloak B to authenticate against it)
- If authentication against Keycloak B successful, you will successfully
finish the authenticator, so your client will receive the accessToken
from Keycloak A, which can be used to access your API.
You can take a look at existing Authentication SPI docs and examples and
at the existing implementations of DirectGrant authenticators for the
inspiration (ValidateUsername, ValidatePassword, ValidateOTP)
On 24/01/17 15:13, Alexander Chriztopher wrote:
What i need at the end is to be able to call an API protected by
Keycloak A with a user Known by Keycloak B.
In another way what we want is to do is brokering but with Direct
Access Grant and not in the browser as it is described here in the
Keycloak documentation here :
What would be the Direct Access Grant flow to achieve the same thing ?
On Tue, Jan 24, 2017 at 12:49 PM, Marek Posolda <mposolda(a)redhat.com
We have support for identity brokering, but not sure if that helps
with your usecase. As if I understand correctly, you have token
for B and you want to access API protected by A with the B-token,
If you don't want to use multitenancy for some reason, I think you
may have to validate token by yourself and your application side
instead of using our adapters. As even if A and B use the same
publicKey for token verification, the issuer in the B-Token will
be different though, so our adapter (which verifies the issuer)
Also you can implement your own directGrant authenticator in the
Keycloak-A, which will allow you to authenticate with the b-token
(sent to it in some parameter) and then return you back the
a-token, which you can then validate. Defacto exchange b-token for
a-token. See Authentication SPI docs for more details.
On 24/01/17 12:14, Alexander Chriztopher wrote:
> Actually, we dont' want our API to know the B instance.
> Is there any other solution (am thinking about brokering between
> A and B and creating a client for instance B in instance A etc.) ?
> And yes, A and B are not in a cluster for organisation matters.
> On Tue, Jan 24, 2017 at 11:25 AM, Marek Posolda
> <mposolda(a)redhat.com <mailto:email@example.com>> wrote:
> I assume that Keycloak instances A and B are not in cluster?
> If you can put them in cluster, you will have this supported
> Also did you see our multitenancy feature and multi-tenant
> example? This allows that application (API) is protected by
> both instance A or B. So based on the token from the request,
> you will see if you should use keycloak A or B to validate token.
> On 24/01/17 11:05, Alexander Chriztopher wrote:
> Am looking for the flow to get an access token with OIDC
> and 2 Keycloak
> instances (A and B).
> User is Known by instance B and gets an access token from
> instance B then
> needs to access an API protected with instance A.
> What would be the best way to do it ?
> Thanks for any help.
> keycloak-user mailing list