[keycloak-dev] external token exchange - feedback needed

Schuster Sebastian (INST/ESY1) Sebastian.Schuster at bosch-si.com
Mon Sep 25 03:22:15 EDT 2017 

Hi Bill,

Your token exchange approach looks good to me. I still have a few questions: What claim is used to do the matching? Is it email if not linked and iss/sub otherwise? What is the difference between IMPORT_ONLY and UNIQUE_IMPORT? What usernames would be created? OIDC standard claims don't seem to contain something that’s useful as a username..

Thanks and best regards,
Sebastian
 

Mit freundlichen Grüßen / Best regards

Dr.-Ing.  Sebastian Schuster

Engineering and Support (INST/ESY1) 
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn 




-----Original Message-----
From: keycloak-dev-bounces at lists.jboss.org [mailto:keycloak-dev-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: Freitag, 22. September 2017 16:48
To: keycloak-dev <keycloak-dev at lists.jboss.org>
Subject: Re: [keycloak-dev] external token exchange - feedback needed

Was thinking about this more...  I'll have a switch "Allow Token Exchange"

I'll also define an import policy:

* EXISTING-ONLY - must match existing account.  No link created.  No import.
* IMPORT - may match existing account.  Link is created/updated
* IMPORT-ONLY - must not match existing account unless previously
linked.   Link is created/updated.
* UNIQUE_IMPORT - must not match existing account unless previously imported. must create a username that is specific to the provider.
Link is created/updated.

For all above policies, realm duplicate email policy applies.

On Thu, Sep 21, 2017 at 4:05 PM, Bill Burke <bburke at redhat.com> wrote:
> I'm almost done implementing external token exchange where you can 
> provide an external OIDC token and exchange it for a Keycloak one.
> Need some feedback though.
>
> * first broker flow and post broker flows won't be executed.  Can't, 
> its a non-browser flow.
> * mappers are run.
> * logout will not logout broker session
> * If duplicate emails exist, abort, 403
> * If duplicate username exists, abort, 403.
>
> The feedback I need is on duplicates.  We might have the case where 
> username is unique across different realms.  Should I have a switch 
> that will use existing user?  Maybe an additional switch to not create 
> a link?  Maybe I should have an exchange flow?
>
>
> --
> Bill Burke
> Red Hat



--
Bill Burke
Red Hat
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list