[keycloak-user] exchange token cross realm

triton oidc triton.oidc at gmail.com
Mon Jun 17 04:36:59 EDT 2019


Hi keycloak users !

my target is to exchange an OIDC access token (linked to a user)
from an app1 in a realm 1 to an app2 in a realm two.

I'm using 4.8.3.Final on both IDP

Using curl script, it works great (minus a user linking issue)

However I'm looking for a prod ready implementation, and i can't give all
the credentials to the calling API.
In my example, the API 1 would need
the client id / secret on the IDP1, used for the link to IDP2
the client id / secret on the IDP2, used for the link to IDP1

I can't put that in my procedure.

I therefore created a new component that does the mapping, and this
component does have the credentials on both IDP.

The complexity is increased, and my boss is not convinced creating an
exchange component is the best way to solve the issue

link to the sequence diagram
<https://www.websequencediagrams.com/cgi-bin/cdraw?lz=dGl0bGUgRXhjaGFuZ2UgdG9rZW4gd2l0aCBtYWdpY2FsCnBhcnRpY2lwYW50IEJyb3dzZXIgYXMgQgAMDUFwcDEgYXMgUlAxACQNS2V5Y2xvYWsAGAVJRAAPD0NvbXBvbmVudFggYXMgTQAlFTIAMwcyAGAQABQFUlAyCgoKQi0-UlAxOlVzZXIgZ29lcyB0byB0aGUgYXBwClJQMS0tPkI6MzAyIHJlZGlyZWN0IElEUApCPC0-SURQMTpJZGVudGlmaWNhdGlvbiBjaGFsbGVuZ2UKSUQANQdSADAIdG8gYXBwAIIaBmNvZGUAcghSZXR1cgCCMQcAEwVSUDEAVwdlAIJTCGNvZGUgYWdhaW5zdFxuSUQvQWNjZXNzL1JlZnJlc2gAgnUGAGwIUlAxOgAeBQAREXMKbm90ZSBvdmVyIFJQMTpWZXJpZnkgSUQAgzUHc2lnbmF0dXJlXG5JbnRyb3NwZWN0IABmBiBUb2tlblxuR2V0dXNlcmluZm8AghcJSG9tZSBwYWdlAFULQjpEaXNwbGF5IAAIFnJlcXVlc3QgYWMAgjUFdXNpbmcgYXBwMiByZXN1bHQAgxEIABoOAIISCwA5CACCHAkAhHoGZm9yAIQRC1xuAIJqBnVycmVuAIFCCQCFJQVcbmFuZACEdwYvAIRJBWUAhEgGY3JlAINQBWFsAIIjDACDaQVBTSB2AIItBnRoYXQAhCIFIkFwcDEiAIV1B2NhbiBiZQCBCQlcbgCDLAcgYQBaB3RYAIMZEnIAg3ULAIEUDACBRQVjAIVdCQCEEQZNOmdldCByZXNzb3VyY2UAhUYGAIZuBWEAgVALCk0AgVdNAIZ_CgCCEQsgdXNlZACCaQVmZWRlcgCFewUAggwkAIJgCgCCFSFyZWFkeQCDTAVrAIdICQCFXQ1NAIIwDQCBewcAhSMFAIQCBUtleWsAiAIFXG5nZW5lcmF0ZWQgZnJvbQCIUQoKAIIkBzIAgVxPMgCBfS4yAIRGFQCBdgoAiUgJAIRjB1xuAIRcDwCIFQggAIVNBzIAhykGCgpJRFAyAIIIIkFwcDIAggYFUlAyAIRJGQCKMwUAhjYMCgpSAE8OAIdFBwCHOgdNAIVTDgAPDgCKUwgAJRUAiDIUc2VhcmNoAIgVCA&s=rose>
link to the source of the diagram
<https://www.websequencediagrams.com/?lz=dGl0bGUgRXhjaGFuZ2UgdG9rZW4gd2l0aCBtYWdpY2FsCnBhcnRpY2lwYW50IEJyb3dzZXIgYXMgQgAMDUFwcDEgYXMgUlAxACQNS2V5Y2xvYWsAGAVJRAAPD0NvbXBvbmVudFggYXMgTQAlFTIAMwcyAGAQABQFUlAyCgoKQi0-UlAxOlVzZXIgZ29lcyB0byB0aGUgYXBwClJQMS0tPkI6MzAyIHJlZGlyZWN0IElEUApCPC0-SURQMTpJZGVudGlmaWNhdGlvbiBjaGFsbGVuZ2UKSUQANQdSADAIdG8gYXBwAIIaBmNvZGUAcghSZXR1cgCCMQcAEwVSUDEAVwdlAIJTCGNvZGUgYWdhaW5zdFxuSUQvQWNjZXNzL1JlZnJlc2gAgnUGAGwIUlAxOgAeBQAREXMKbm90ZSBvdmVyIFJQMTpWZXJpZnkgSUQAgzUHc2lnbmF0dXJlXG5JbnRyb3NwZWN0IABmBiBUb2tlblxuR2V0dXNlcmluZm8AghcJSG9tZSBwYWdlAFULQjpEaXNwbGF5IAAIFnJlcXVlc3QgYWMAgjUFdXNpbmcgYXBwMiByZXN1bHQAgxEIABoOAIISCwA5CACCHAkAhHoGZm9yAIQRC1xuAIJqBnVycmVuAIFCCQCFJQVcbmFuZACEdwYvAIRJBWUAhEgGY3JlAINQBWFsAIIjDACDaQVBTSB2AIItBnRoYXQAhCIFIkFwcDEiAIV1B2NhbiBiZQCBCQlcbgCDLAcgYQBaB3RYAIMZEnIAg3ULAIEUDACBRQVjAIVdCQCEEQZNOmdldCByZXNzb3VyY2UAhUYGAIZuBWEAgVALCk0AgVdNAIZ_CgCCEQsgdXNlZACCaQVmZWRlcgCFewUAggwkAIJgCgCCFSFyZWFkeQCDTAVrAIdICQCFXQ1NAIIwDQCBewcAhSMFAIQCBUtleWsAiAIFXG5nZW5lcmF0ZWQgZnJvbQCIUQoKAIIkBzIAgVxPMgCBfS4yAIRGFQCBdgoAiUgJAIRjB1xuAIRcDwCIFQggAIVNBzIAhykGCgpJRFAyAIIIIkFwcDIAggYFUlAyAIRJGQCKMwUAhjYMCgpSAE8OAIdFBwCHOgdNAIVTDgAPDgCKUwgAJRUAiDIUc2VhcmNoAIgVCA&s=rose>


Is there a way to simplify this ?
like when i do two token exchange on the same realm App1 to App2 to App3
that i could use the credential shared between App1 and App2 to do the
exchange of the App2 token against an App3 token (only if the App1 token
can be exchange against an App2 token)

This way when i'll do a cross realm exchange, i won't need the credentials
of the current IDP, but only the App credentials.

Or some other way i have not figured at.

Thanks for any tips

Amaury


More information about the keycloak-user mailing list