5:35 p.m.
Hi,
Are there any other mechanisms in Keycloak apart from Kerberos which can establish
something similar to a cross realm trust?
Also, consider this use case: We have App A and App B. App A and App B may have different
Keycloak instances or maybe in different realms of the same Keycloak instance. User logs
into App A. He clicks on a button in App A which is supposed to take him to App B. The
user now has a JWT when he logged into App A. Now App B knows that all the redirects are
going to be from App A. So can App B verify the token through App A?
Regards,
Aditya
7:10 p.m.
I think what you're looking for is:
https://www.keycloak.org/docs/latest/securing_apps/index.html#external-to...
Probably this specific part:
https://www.keycloak.org/docs/latest/securing_apps/index.html#external-to...
It's worth reading all the possibilites to see which fit betters for your
case.
I'm glad to hear if there are better options to achieve this, I have a
similar scenario here.
Em ter, 6 de ago de 2019 às 20:48, Aditya Bhole <Aditya.Bhole(a)veritas.com>
escreveu:
Hi,
Are there any other mechanisms in Keycloak apart from Kerberos which can
establish something similar to a cross realm trust?
Also, consider this use case: We have App A and App B. App A and App B may
have different Keycloak instances or maybe in different realms of the same
Keycloak instance. User logs into App A. He clicks on a button in App A
which is supposed to take him to App B. The user now has a JWT when he
logged into App A. Now App B knows that all the redirects are going to be
from App A. So can App B verify the token through App A?
Regards,
Aditya
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
10:40 a.m.
New subject: [EXTERNAL] Re: Alternative to Kerberos & Custom Use Case
Hi Leandro,
I’ve successfully executed the internal to internal token exchange as the starting client
and target client both are in the same realm.
When trying the external to internal token exchange however, I’m finding it a bit
challenging because I’m always getting the “invalid token” error.
I have done the following configuration using 2 Keycloak Instances:
KC1 has client “choco” in realm “demo”.
KC2 has client “vanilla” in realm “demo2”.
KC2 is configured as an IdP for KC1 with the alias “keycloak-oidc”.
I’ve configured the client policy for “keycloak-oidc” with the client “choco”.
I’m not sure how to configure the client “choco” as the target client (vanilla) is not in
the same realm.
So now, if I want to use the externally minted token from KC2 for the internal token in
KC1, I’m sending a post request like this:
For getting the subject token I’m logging into “vanilla” using user u2:
http://localhost:8280/auth/realms/demo2/protocol/openid-connect/token
username:u2
password:u2
client_id:vanilla
grant_type:password
client_secret:geheim
I get an access token “ X” using this from “demo2” realm in KC2.
Using this access token X, I’m trying to get an internal KC token for “choco” in realm
“demo” on KC1:
http://localhost:8180/auth/realms/demo/protocol/openid-connect/token
client_id:choco
client_secret:geheim
grant_type:urn:ietf:params:oauth:grant-type:token-exchange
subject_token:token X
subject_issuer:keycloak-oidc
subject_token_type:urn:ietf:params:oauth:token-type:access_token
requested_token_type:urn:ietf:params:oauth:token-type:access_token
audience:vanilla
But I get the “invalid token” error.
Am I making a mistake somewhere? Please help.
Regards,
Aditya
From: Leandro Del Sole <leandrodelsole(a)gmail.com>
Date: Tuesday, August 6, 2019 at 5:11 PM
To: Aditya Bhole <Aditya.Bhole(a)veritas.com>
Cc: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Subject: [EXTERNAL] Re: [keycloak-user] Alternative to Kerberos & Custom Use Case
I think what you're looking for is:
https://www.keycloak.org/docs/latest/securing_apps/index.html#external-to...
Probably this specific part:
https://www.keycloak.org/docs/latest/securing_apps/index.html#external-to...
It's worth reading all the possibilites to see which fit betters for your case.
I'm glad to hear if there are better options to achieve this, I have a similar
scenario here.
Em ter, 6 de ago de 2019 às 20:48, Aditya Bhole
<Aditya.Bhole@veritas.com<mailto:Aditya.Bhole@veritas.com>> escreveu:
Hi,
Are there any other mechanisms in Keycloak apart from Kerberos which can establish
something similar to a cross realm trust?
Also, consider this use case: We have App A and App B. App A and App B may have different
Keycloak instances or maybe in different realms of the same Keycloak instance. User logs
into App A. He clicks on a button in App A which is supposed to take him to App B. The
user now has a JWT when he logged into App A. Now App B knows that all the redirects are
going to be from App A. So can App B verify the token through App A?
Regards,
Aditya
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:32 p.m.
New subject: [EXTERNAL] Re: Alternative to Kerberos & Custom Use Case
Hello Aditya,
I'm here in the list looking for support to make the external to internal
token work as well, so I'm not the best person to help you.
I hope someone that is reading us can help you better.
I'm sending the problem I'm facing soon in a new thread.
Although it should work with two Keycloaks, you can run this scenario in
just one Keycloak instance with two different realms. If it's just a test
scenario, you may want to keep it simpler.
Another point, the audience parameter is optional. So, to start, I would
omit it.
audience
OPTIONAL. This parameter specifies the target client you want the new
token minted for.
As I understood in the context of others chunks of explanation in the page
https://www.keycloak.org/docs/latest/securing_apps/index.html#external-to...,
audience should be a different client other than "choco" in the realm
"demo".
Which Content-Type are you submitting your request? Ive just tried using
"Content-Type: application/x-www-form-urlencoded".
And just to be sure, when you say, "subject_token:token X", you're
replacing all the "token X" with your token, not only the "X", right?
All other configuration and parameters seem Ok to me.
Hope this helps.
Regards,
Leandro
Em sex, 9 de ago de 2019 às 12:40, Aditya Bhole <Aditya.Bhole(a)veritas.com>
escreveu:
Hi Leandro,
I’ve successfully executed the internal to internal token exchange as the
starting client and target client both are in the same realm.
When trying the external to internal token exchange however, I’m finding
it a bit challenging because I’m always getting the “invalid token” error.
I have done the following configuration using 2 Keycloak Instances:
KC1 has client “choco” in realm “demo”.
KC2 has client “vanilla” in realm “demo2”.
KC2 is configured as an IdP for KC1 with the alias “keycloak-oidc”.
I’ve configured the client policy for “keycloak-oidc” with the client
“choco”.
I’m not sure how to configure the client “choco” as the target client
(vanilla) is not in the same realm.
So now, if I want to use the externally minted token from KC2 for the
internal token in KC1, I’m sending a post request like this:
For getting the subject token I’m logging into “vanilla” using user u2:
http://localhost:8280/auth/realms/demo2/protocol/openid-connect/token
username:u2
password:u2
client_id:vanilla
grant_type:password
client_secret:geheim
I get an access token “ X” using this from “demo2” realm in KC2.
Using this access token X, I’m trying to get an internal KC token for
“choco” in realm “demo” on KC1:
http://localhost:8180/auth/realms/demo/protocol/openid-connect/token
client_id:choco
client_secret:geheim
grant_type:urn:ietf:params:oauth:grant-type:token-exchange
subject_token:token X
subject_issuer:keycloak-oidc
subject_token_type:urn:ietf:params:oauth:token-type:access_token
requested_token_type:urn:ietf:params:oauth:token-type:access_token
audience:vanilla
But I get the “invalid token” error.
Am I making a mistake somewhere? Please help.
Regards,
Aditya
*From: *Leandro Del Sole <leandrodelsole(a)gmail.com>
*Date: *Tuesday, August 6, 2019 at 5:11 PM
*To: *Aditya Bhole <Aditya.Bhole(a)veritas.com>
*Cc: *"keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
*Subject: *[EXTERNAL] Re: [keycloak-user] Alternative to Kerberos &
Custom Use Case
I think what you're looking for is:
https://www.keycloak.org/docs/latest/securing_apps/index.html#external-to...
Probably this specific part:
https://www.keycloak.org/docs/latest/securing_apps/index.html#external-to...
It's worth reading all the possibilites to see which fit betters for your
case.
I'm glad to hear if there are better options to achieve this, I have a
similar scenario here.
Em ter, 6 de ago de 2019 às 20:48, Aditya Bhole <Aditya.Bhole(a)veritas.com>
escreveu:
Hi,
Are there any other mechanisms in Keycloak apart from Kerberos which can
establish something similar to a cross realm trust?
Also, consider this use case: We have App A and App B. App A and App B may
have different Keycloak instances or maybe in different realms of the same
Keycloak instance. User logs into App A. He clicks on a button in App A
which is supposed to take him to App B. The user now has a JWT when he
logged into App A. Now App B knows that all the redirects are going to be
from App A. So can App B verify the token through App A?
Regards,
Aditya
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1964
days inactive
1970
days old
3 comments
2 participants
participants (2)
-
Aditya Bhole -
Leandro Del Sole