[keycloak-user] User Propagation (on behalf of flow) in REST/OIDC+OAuth2

Raggy Fab fabulous.rag at googlemail.com
Thu Feb 28 15:20:37 EST 2019

Hi Keycloak users!

At my old company, when using SOAP, we were using Standards like WS-Trust
including a Security Token Service to authenticate SAML Token for our users
(incl. audience-uri-specific claims/role). We used the WS-Federation
Standard to let users authenticate and use WS-Trust to propagate the user's
saml token across multiple applications/webservice hops. (onBehalfOf Flow).
We did use SAML token issued from service accounts for backend2backend

Now my question is:
Which of these use cases are supported (out of the box or partly supported)
based on which protocol/flows in the keycloak REST/OIDC/OAuth2/JWT World? I
had trouble finding input specifically how to implement a onBehalfOf Flow
online. We also have a use case where an external provider sends us a jwt
token signed by his STS (which are valid users in our world we can map)
which we would like to "federate" (sign by our STS and translate his
claims) and was wondering what the best way would be to achieve such a
token "translation" and if there is a standard for that.

If you can point me to a specific flow which is supported by keycloak or
how to give me hints how achieve a similar use case (or let me know if
there is no standard for a certain use case) that would be awesome!


More information about the keycloak-user mailing list