[keycloak-dev] Feature request: Internal Token to External Token Exchange with automatic user linking in the External realm

Gael THIABAUD Gael.THIABAUD at almerys.com
Fri Dec 1 09:43:31 EST 2017


Dear Keycloak team,

The current usage of " Internal Token to External Token Exchange" is based on the fact that the user in the "external" realm was previously linked with the "Internal" Realm.
The current implementation of Client Initiated Account Linking is taking care only of the request coming from a Web Browser.

I need to have it working if the requester is an application backend.
Eg: A back end of a web application need to use a REST service that is not managed by the same realm.

USER --> Web APP -redirect->KC Realm A -Credential request-> USER -credentials> KC Realm A -token & redirect -> USER -redirect-> Web APP - Internal to External Token Exchange -> KC Realm A -request token exchange > KC Realm B - create user from token -> KC Realm B -Realm B Token -> KC Realm A -> Web APP - Realm B Token in bearer mode -> REST server depending of Realm B

Is my use case clear ?
Do you have a proposal ?
Can we help for the implementation ?

Regards

Gaël THIABAUD
Direction Technique
mailto:gael.thiabaud at almerys.com

Téléphone: 04 73 74 82 84
almerys, 46 Rue du Ressort, 63967 Clermont-Ferrand Cedex 9
www.almerys.com
      Scrum Master





More information about the keycloak-dev mailing list