[keycloak-user] [EXTERNAL] Re: Alternative to Kerberos & Custom Use Case

Fri Aug 9 11:40:46 EDT 2019

Hi Leandro,

I’ve successfully executed the internal to internal token exchange as the starting client and target client both are in the same realm.
When trying the external to internal token exchange however, I’m finding it a bit challenging because I’m always getting the “invalid token” error.

I have done the following configuration using 2 Keycloak Instances:

KC1 has client “choco” in realm “demo”.
KC2 has client “vanilla” in realm “demo2”.
KC2 is configured as an IdP for KC1 with the alias “keycloak-oidc”.

I’ve configured the client policy for “keycloak-oidc” with the client “choco”.

I’m not sure how to configure the client “choco” as the target client (vanilla) is not in the same realm.

So now, if I want to use the externally minted token from KC2 for the internal token in KC1, I’m sending a post request like this:

For getting the subject token I’m logging into “vanilla” using user u2:

http://localhost:8280/auth/realms/demo2/protocol/openid-connect/token

username:u2
password:u2
client_id:vanilla
grant_type:password
client_secret:geheim

I get an access token “ X” using this from “demo2” realm in KC2.

Using this access token X, I’m trying to get an internal KC token for “choco” in realm “demo” on KC1:

http://localhost:8180/auth/realms/demo/protocol/openid-connect/token

client_id:choco
client_secret:geheim
grant_type:urn:ietf:params:oauth:grant-type:token-exchange
subject_token:token X
subject_issuer:keycloak-oidc
subject_token_type:urn:ietf:params:oauth:token-type:access_token
requested_token_type:urn:ietf:params:oauth:token-type:access_token
audience:vanilla

But I get the “invalid token” error.

Am I making a mistake somewhere? Please help.

Regards,
Aditya

From: Leandro Del Sole <leandrodelsole at gmail.com>
Date: Tuesday, August 6, 2019 at 5:11 PM
To: Aditya Bhole <Aditya.Bhole at veritas.com>
Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Subject: [EXTERNAL] Re: [keycloak-user] Alternative to Kerberos & Custom Use Case

I think what you're looking for is:
https://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange

Probably this specific part:
https://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange

It's worth reading all the possibilites to see which fit betters for your case.

I'm glad to hear if there are better options to achieve this, I have a similar scenario here.

Em ter, 6 de ago de 2019 às 20:48, Aditya Bhole <Aditya.Bhole at veritas.com<mailto:Aditya.Bhole at veritas.com>> escreveu:
Hi,

Are there any other mechanisms in Keycloak apart from Kerberos which can establish something similar to a cross realm trust?

Also, consider this use case: We have App A and App B. App A and App B may have different Keycloak instances or maybe in different realms of the same Keycloak instance. User logs into App A. He clicks on a button in App A which is supposed to take him to App B. The user now has a JWT when he logged into App A. Now App B knows that all the redirects are going to be from App A. So can App B verify the token through App A?

Regards,
Aditya
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user