问题
we setup a testing environment for keycloak. The environment run on GCP. It have two keycloak instances:
- Instance A acts as a test login keycloak, named test-login-1
- Instance B acts as a test external identity provider, named test-login-2
We need to use the instance A to connect the instance B.
So instance A user can able to login via instance B.
Is there any way to do this? How can We implement this logic?
回答1:
You need to configure the test-login-2
as an identity provider for the test-login-1
. You can read about identity brokering here. I will be calling internal realm
to the realm that will be used from the internal Keycloak (test-login-1
), and external realm
to the realm that will be used from the external Keycloak (test-login-2
).
For that go to the Admin Console and:
- select your
Realm
fromtest-login-1
, and click onIdentity Providers
- On the right side of the page select
Keycloak OpenID Connect
from theAdd provider
... dropdown menu. It will popup theAdd Identity Provider
form, from there set: - the
alias
- the
Authorization URL
,Token URL
,Logout URL
,User Info URL
andIssuer
to the correspondent endpoints that can be found on the realm oftest-login-2
on the .well-known endpoint (i.e.,<KEYCLOAK_IP>/auth/realms/<External Realm Name>/.well-known/openid-configuration
)- For the
Client Authentication
you can selectClient secret send as post
- For the
Client ID
andClient Secret
first you need to create a newclient
in your externalrealm
(oftest-login-2
) and use itsClient ID
andClient Secret
here. - This client:
- can have
Access Type
Confidential
Standard Flow Enabled
:ON
Valid Redirect URIs
set it to your Keycloak IP followed by"*"
, for instance<KEYCLOAK_IP>*
Web Origins
:+
Save
- For the
Bear in mind that some of those configurations might have to be adapted to your own needs.
Now if everything was set correctly, at the keycloak (test-login-1
) internal realm login page will show up a new button that the users stored on the external realm (of test-login-2
) can click on to authenticate against the external realm.
Now you configure your app to lend at the Internal Realm Login page, the users from your internal realm authenticate immediately there, the users from the external realm click on the new button to explicitly authenticate against the external realm.
来源:https://stackoverflow.com/questions/65017085/how-to-check-authenticate-keycloak-instance-a-user-from-another-keycloak-instanc