3:26 p.m.
I remember some discussions about this on the ML but I couldn't find a
concluding answer.
I have a scenario where I need users from a realm "B" to be able to use an
application
that lives in realm "A".
In the concrete use case I have a "B-user" registered in realm "B"
that
needs to access
an application X from realm "A".
"B-user" is already authenticated in keycloak and accesses the application
X in realm "A".
Since the user is not authenticated with realm "A" the user gets redirected
to realm "A"s login.
Now I want to make it possible to login the "B-user"either transparently or
by clicking on a link
"login with B" such that he can use application X.
Note that I want to avoid showing B's login.
Is this possible at all?
I thought that this might be possible by defining a Keycloak Identity
provider for realm B.
In order to test this I did the following:
I created two realms A and B - each with it's own realm user A-user and
B-user respectively
then I defined a new identity provider of type Keycloak OpenID Connect
(keycloak-oidc) with the following settings:
Alias: Realm B
Enabled: On
Authenticate by default: On
First Login Flow: first broker login
Post Login flow: --empty--
Authorization URL:
http://localhost:8081/auth/realms/b/protocol/openid-connect/auth
Token URL:
http://localhost:8081/auth/realms/b/protocol/openid-connect/token
Logout URL:
http://localhost:8081/auth/realms/b/protocol/openid-connect/logout
User Info URL:
http://localhost:8081/auth/realms/b/protocol/openid-connect/userinfo
Client ID: account (account application in realm A)
Client Secret: fa0c8747-8ea5-43f0-acbd-fea47ad6bab8 (account
application in realm A)
In "Mappers" I defined a "user-role-mapper" as a "Hardcoded
Role" with
"account.view-profile".
As an example app I use the account client that exists in both realms.
Now I login to realm-b and access the account app:
http://localhost:8081/auth/realms/b/account
If I now browse to:
http://localhost:8081/auth/realms/a/account
I get a redirect to:
http://localhost:8081/auth/realms/b/protocol/openid-connect/auth?scope=op...
which results in a page indicating:
We're sorry ...
Invalid parameter: redirect_uri
« Back to Application
Back to application points to "http://localhost:8081/auth/realms/b/account"
Did I do anything wrong here? Why is the redirect_uri invalid?
Cheers,
Thomas
3:39 p.m.
You have to create a client in your "top" realm for the "child" idp.
You must define a redirect uri in that client. I think that is probably
your problem.
On 2/22/2016 4:26 PM, Thomas Darimont wrote:
I remember some discussions about this on the ML but I couldn't
find a
concluding answer.
I have a scenario where I need users from a realm "B" to be able to
use an application
that lives in realm "A".
In the concrete use case I have a "B-user" registered in realm "B"
that needs to access
an application X from realm "A".
"B-user" is already authenticated in keycloak and accesses the
application X in realm "A".
Since the user is not authenticated with realm "A" the user gets
redirected to realm "A"s login.
Now I want to make it possible to login the "B-user"either
transparently or by clicking on a link
"login with B" such that he can use application X.
Note that I want to avoid showing B's login.
Is this possible at all?
I thought that this might be possible by defining a Keycloak Identity
provider for realm B.
In order to test this I did the following:
I created two realms A and B - each with it's own realm user A-user
and B-user respectively
then I defined a new identity provider of type Keycloak OpenID Connect
(keycloak-oidc) with the following settings:
Alias: Realm B
Enabled: On
Authenticate by default: On
First Login Flow: first broker login
Post Login flow: --empty--
Authorization URL:
http://localhost:8081/auth/realms/b/protocol/openid-connect/auth
Token URL:
http://localhost:8081/auth/realms/b/protocol/openid-connect/token
Logout URL:
http://localhost:8081/auth/realms/b/protocol/openid-connect/logout
User Info URL:
http://localhost:8081/auth/realms/b/protocol/openid-connect/userinfo
Client ID: account (account application in realm A)
Client Secret: fa0c8747-8ea5-43f0-acbd-fea47ad6bab8
(account application in realm A)
In "Mappers" I defined a "user-role-mapper" as a "Hardcoded
Role" with
"account.view-profile".
As an example app I use the account client that exists in both realms.
Now I login to realm-b and access the account app:
http://localhost:8081/auth/realms/b/account
If I now browse to:
http://localhost:8081/auth/realms/a/account
I get a redirect to:
http://localhost:8081/auth/realms/b/protocol/openid-connect/auth?scope=op...
which results in a page indicating:
We're sorry ...
Invalid parameter: redirect_uri
« Back to Application
Back to application points to
"http://localhost:8081/auth/realms/b/account"
Did I do anything wrong here? Why is the redirect_uri invalid?
Cheers,
Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3258
days inactive
3258
days old
1 comments
2 participants
participants (2)
-
Bill Burke -
Thomas Darimont