[keycloak-user] Authenticated Protocol Mapper?

Dmitry Telegin dt at acutus.pro
Wed Nov 14 13:27:41 EST 2018


Hello Hannah,

Just to make it clear: is your API secured by the same Keycloak instance? does it belong to the same realm?

If so, this is probably a use case for offline tokens and/or impersonation. The idea is, the mapper is executed with Keycloak's privileges, hence no need to perform "honest" authentication; you can in fact produce any token you need to act on behalf of another identity.

However, I'd also suggest that you try to "short-circuit" the whole operation, maybe with the help of RMI/RPC. Is that possible? REST has more overhead, which can come to the fore under high load.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2018-11-14 at 11:24 +0000, Hannah Short wrote:
> Hi, 
> 
> I’d like to deploy a custom OIDC Protocol Mapper that is itself a client of Keycloak. Is this possible? 
> 
> The objective is for the mapper to be able to call an API that is protected also by Keycloak.
> 
> The current approach was for the mapper to use the Client Credentials flow to authenticate, exchange the access token for one for the API client, and use it to call the API. This works OK until I deploy the mapper to Keycloak, where it throws various exceptions and does not seem to attempt the Client Credentials flow.
> 
> Any guidance, including alternative approaches, would be appreciated!
> 
> Cheers,
> Hannah
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list