[keycloak-user] Use other Keycloak Realm as Identity Provider
Bill Burke
bburke at redhat.com
Mon Feb 22 16:39:16 EST 2016
You have to create a client in your "top" realm for the "child" idp.
You must define a redirect uri in that client. I think that is probably
your problem.
On 2/22/2016 4:26 PM, Thomas Darimont wrote:
> I remember some discussions about this on the ML but I couldn't find a
> concluding answer.
>
> I have a scenario where I need users from a realm "B" to be able to
> use an application
> that lives in realm "A".
>
> In the concrete use case I have a "B-user" registered in realm "B"
> that needs to access
> an application X from realm "A".
> "B-user" is already authenticated in keycloak and accesses the
> application X in realm "A".
> Since the user is not authenticated with realm "A" the user gets
> redirected to realm "A"s login.
>
> Now I want to make it possible to login the "B-user"either
> transparently or by clicking on a link
> "login with B" such that he can use application X.
>
> Note that I want to avoid showing B's login.
>
> Is this possible at all?
>
> I thought that this might be possible by defining a Keycloak Identity
> provider for realm B.
>
> In order to test this I did the following:
>
> I created two realms A and B - each with it's own realm user A-user
> and B-user respectively
> then I defined a new identity provider of type Keycloak OpenID Connect
> (keycloak-oidc) with the following settings:
>
> Alias: Realm B
> Enabled: On
> Authenticate by default: On
> First Login Flow: first broker login
> Post Login flow: --empty--
> Authorization URL:
> http://localhost:8081/auth/realms/b/protocol/openid-connect/auth
> Token URL:
> http://localhost:8081/auth/realms/b/protocol/openid-connect/token
> Logout URL:
> http://localhost:8081/auth/realms/b/protocol/openid-connect/logout
> User Info URL:
> http://localhost:8081/auth/realms/b/protocol/openid-connect/userinfo
> Client ID: account (account application in realm A)
> Client Secret: fa0c8747-8ea5-43f0-acbd-fea47ad6bab8
> (account application in realm A)
>
> In "Mappers" I defined a "user-role-mapper" as a "Hardcoded Role" with
> "account.view-profile".
>
> As an example app I use the account client that exists in both realms.
>
> Now I login to realm-b and access the account app:
> http://localhost:8081/auth/realms/b/account
>
> If I now browse to:
> http://localhost:8081/auth/realms/a/account
>
> I get a redirect to:
> http://localhost:8081/auth/realms/b/protocol/openid-connect/auth?scope=openid&state=xvB9nevhQp6IhPJzN7-XfRwUI1250UINM-VvegnpNB0.44090b97-e6a2-448d-b453-60d967265cb4&response_type=code&client_id=account&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fauth%2Frealms%2Fa%2Fbroker%2FB%2Fendpoint
>
> which results in a page indicating:
>
> We're sorry ...
>
> Invalid parameter: redirect_uri
>
> « Back to Application
>
> Back to application points to
> "http://localhost:8081/auth/realms/b/account"
> Did I do anything wrong here? Why is the redirect_uri invalid?
>
> Cheers,
> Thomas
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160222/d832a56e/attachment-0001.html
More information about the keycloak-user
mailing list