OpenID connect implicit flow between 2 keycloak

[guillaumearybak]

Hello everyone !

I would like to do the following:

- 1 keycloak on the internet, to handle login from everywhere.

- 1 keycloak on a closed network (cut off from the internet) for security reasons to handle local authentication.

The user's browser will have access to both networks (private and internet) and I would l like the user to be able to log on the isolated keycloak using it's account on the internet keycloak.

I was planning to use the implicit flow of OpenID Connect but I can't seem to be able to configure it in the Identity Provider config page (in the isolated keycloak).

Am I doing it wrong and Is it possible ?

Regards.

[Thomas Darimont]

Hello Guillaume,

The scenario you describe is quite common and a valid approach.

However, you need to use the authorization code grant flow and a confidential client for the Keycloak OIDC Identity Provider integration.

You can either use the existing "broker" confidential client with client-id / client-secret as the IdP broker client or create a dedicated confidential client.

Note in both cases, you need to add the generated broker endpoint url "/endpoint/*" to the list of allowed redirect_uris.

Cheers,

Thomas

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/c58534aa-c4d3-4042-92f9-4a94d1c39d27o%40googlegroups.com.

[guillaumearybak]

Hello ! Thanks for your reply 🙂

Sorry, I'm not sure I was clear or I didn't understand your answer :(.

In my case the identity broker and the identity provider cannot communicate with each other. Only the user's browser have access to both. From what I understand using the authorisation code flow would require the isolated Keycloak to be able to communicate with the other Keycloak in order to exchange the authorisation code with the appropriate tokens, which it cannot do.

I've been using SAML since the user's browser is used as a transit between the 2 keycloaks, but I'd prefer using openID connect.

On Monday, June 29, 2020 at 6:40:13 PM UTC+2, Thomas Darimont wrote:

Hello Guillaume,

The scenario you describe is quite common and a valid approach.

However, you need to use the authorization code grant flow and a confidential client for the Keycloak OIDC Identity Provider integration.

You can either use the existing "broker" confidential client with client-id / client-secret as the IdP broker client or create a dedicated confidential client.

Note in both cases, you need to add the generated broker endpoint url "/endpoint/*" to the list of allowed redirect_uris.

Cheers,

Thomas

On Mon, 29 Jun 2020 at 17:23, guillaumearybak <guillau...@gmail.com> wrote:

Hello everyone !

I would like to do the following:

- 1 keycloak on the internet, to handle login from everywhere.

- 1 keycloak on a closed network (cut off from the internet) for security reasons to handle local authentication.

The user's browser will have access to both networks (private and internet) and I would l like the user to be able to log on the isolated keycloak using it's account on the internet keycloak.

I was planning to use the implicit flow of OpenID Connect but I can't seem to be able to configure it in the Identity Provider config page (in the isolated keycloak).

Am I doing it wrong and Is it possible ?

Regards.

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keyclo...@googlegroups.com.