[keycloak-user] Authenticated Protocol Mapper?

Hannah Short hannah.short at cern.ch
Thu Nov 15 05:13:47 EST 2018 

Hi Dmitry, 

Thanks for your help!

> Just to make it clear: is your API secured by the same Keycloak instance? does it belong to the same realm?
Yes, both the same Keycloak instance and realm.

For the offline tokens approach, I’ve understood that they can only be generated programatically, and for a user. In our case this would be an offline token for the API (we could create a user to “own" this token) - is there a way to generate tokens through the Keycloak UI? 

Cheers,
Hannah

> On 14 Nov 2018, at 19:27, Dmitry Telegin <dt at acutus.pro> wrote:
> 
> Hello Hannah,
> 
> Just to make it clear: is your API secured by the same Keycloak instance? does it belong to the same realm?
> 
> If so, this is probably a use case for offline tokens and/or impersonation. The idea is, the mapper is executed with Keycloak's privileges, hence no need to perform "honest" authentication; you can in fact produce any token you need to act on behalf of another identity.
> 
> However, I'd also suggest that you try to "short-circuit" the whole operation, maybe with the help of RMI/RPC. Is that possible? REST has more overhead, which can come to the fore under high load.
> 
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
> 
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
> 
> On Wed, 2018-11-14 at 11:24 +0000, Hannah Short wrote:
>> Hi, 
>> 
>> I’d like to deploy a custom OIDC Protocol Mapper that is itself a client of Keycloak. Is this possible? 
>> 
>> The objective is for the mapper to be able to call an API that is protected also by Keycloak.
>> 
>> The current approach was for the mapper to use the Client Credentials flow to authenticate, exchange the access token for one for the API client, and use it to call the API. This works OK until I deploy the mapper to Keycloak, where it throws various exceptions and does not seem to attempt the Client Credentials flow.
>> 
>> Any guidance, including alternative approaches, would be appreciated!
>> 
>> Cheers,
>> Hannah
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list