[keycloak-user] [EXTERNAL] Re: Alternative to Kerberos & Custom Use Case

Leandro Del Sole leandrodelsole at gmail.com
Sun Aug 11 21:32:03 EDT 2019 

Hello Aditya,

I'm here in the list looking for support to make the external to internal
token work as well, so I'm not the best person to help you.
I hope someone that is reading us can help you better.
I'm sending the problem I'm facing soon in a new thread.

Although it should work with two Keycloaks, you can run this scenario in
just one Keycloak instance with two different realms. If it's just a test
scenario, you may want to keep it simpler.

Another point, the audience parameter is optional. So, to start, I would
omit it.

> audience
> OPTIONAL. This parameter specifies the target client you want the new
> token minted for.


As I understood in the context of others chunks of explanation in the page
https://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange,
audience should be a different client other than "choco" in the realm
"demo".

Which Content-Type are you submitting your request? Ive just tried using
"Content-Type: application/x-www-form-urlencoded".

And just to be sure, when you say, "subject_token:token X", you're
replacing all the "token X" with your token, not only the "X", right?

All other configuration and parameters seem Ok to me.

Hope this helps.

Regards,
Leandro

Em sex, 9 de ago de 2019 às 12:40, Aditya Bhole <Aditya.Bhole at veritas.com>
escreveu:

> Hi Leandro,
>
>
>
> I’ve successfully executed the internal to internal token exchange as the
> starting client and target client both are in the same realm.
>
> When trying the external to internal token exchange however, I’m finding
> it a bit challenging because I’m always getting the “invalid token” error.
>
>
>
> I have done the following configuration using 2 Keycloak Instances:
>
>
>
> KC1 has client “choco” in realm “demo”.
>
> KC2 has client “vanilla” in realm “demo2”.
>
> KC2 is configured as an IdP for KC1 with the alias “keycloak-oidc”.
>
>
>
> I’ve configured the client policy for “keycloak-oidc” with the client
> “choco”.
>
>
>
> I’m not sure how to configure the client “choco” as the target client
> (vanilla) is not in the same realm.
>
>
>
> So now, if I want to use the externally minted token from KC2 for the
> internal token in KC1, I’m sending a post request like this:
>
>
>
> For getting the subject token I’m logging into “vanilla” using user u2:
>
>
>
> http://localhost:8280/auth/realms/demo2/protocol/openid-connect/token
>
>
>
> username:u2
>
> password:u2
>
> client_id:vanilla
>
> grant_type:password
>
> client_secret:geheim
>
>
>
> I get an access token “ X” using this from “demo2” realm in KC2.
>
>
>
> Using this access token X, I’m trying to get an internal KC token for
> “choco” in realm “demo” on KC1:
>
>
>
> http://localhost:8180/auth/realms/demo/protocol/openid-connect/token
>
>
>
> client_id:choco
>
> client_secret:geheim
>
> grant_type:urn:ietf:params:oauth:grant-type:token-exchange
>
> subject_token:token X
>
> subject_issuer:keycloak-oidc
>
> subject_token_type:urn:ietf:params:oauth:token-type:access_token
>
> requested_token_type:urn:ietf:params:oauth:token-type:access_token
>
> audience:vanilla
>
>
>
> But I get the “invalid token” error.
>
>
>
> Am I making a mistake somewhere? Please help.
>
> Regards,
>
> Aditya
>
>
>
> *From: *Leandro Del Sole <leandrodelsole at gmail.com>
> *Date: *Tuesday, August 6, 2019 at 5:11 PM
> *To: *Aditya Bhole <Aditya.Bhole at veritas.com>
> *Cc: *"keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> *Subject: *[EXTERNAL] Re: [keycloak-user] Alternative to Kerberos &
> Custom Use Case
>
>
>
> I think what you're looking for is:
>
>
> https://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange
>
>
>
> Probably this specific part:
>
>
> https://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange
>
>
>
> It's worth reading all the possibilites to see which fit betters for your
> case.
>
>
>
> I'm glad to hear if there are better options to achieve this, I have a
> similar scenario here.
>
>
>
> Em ter, 6 de ago de 2019 às 20:48, Aditya Bhole <Aditya.Bhole at veritas.com>
> escreveu:
>
> Hi,
>
> Are there any other mechanisms in Keycloak apart from Kerberos which can
> establish something similar to a cross realm trust?
>
> Also, consider this use case: We have App A and App B. App A and App B may
> have different Keycloak instances or maybe in different realms of the same
> Keycloak instance. User logs into App A. He clicks on a button in App A
> which is supposed to take him to App B. The user now has a JWT when he
> logged into App A. Now App B knows that all the redirects are going to be
> from App A. So can App B verify the token through App A?
>
> Regards,
> Aditya
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

More information about the keycloak-user mailing list