[keycloak-dev] external token exchange - feedback needed
Marek Posolda
mposolda at redhat.com
Fri Sep 22 10:48:47 EDT 2017
Exchange flow provides most flexibility and can provide the other two
options automatically in OOTB authenticators though? So my vote is for this.
Marek
On 21/09/17 22:05, Bill Burke wrote:
> I'm almost done implementing external token exchange where you can
> provide an external OIDC token and exchange it for a Keycloak one.
> Need some feedback though.
>
> * first broker flow and post broker flows won't be executed. Can't,
> its a non-browser flow.
> * mappers are run.
> * logout will not logout broker session
> * If duplicate emails exist, abort, 403
> * If duplicate username exists, abort, 403.
>
> The feedback I need is on duplicates. We might have the case where
> username is unique across different realms. Should I have a switch
> that will use existing user? Maybe an additional switch to not create
> a link? Maybe I should have an exchange flow?
>
>
More information about the keycloak-dev
mailing list