how to check authenticate keycloak instance A user from another keycloak instance B?

喜夏-厌秋 提交于 2021-02-04 19:53:04

问题


we setup a testing environment for keycloak. The environment run on GCP. It have two keycloak instances:

  1. Instance A acts as a test login keycloak, named test-login-1
  2. Instance B acts as a test external identity provider, named test-login-2

We need to use the instance A to connect the instance B.

So instance A user can able to login via instance B.

Is there any way to do this? How can We implement this logic?


回答1:


You need to configure the test-login-2 as an identity provider for the test-login-1. You can read about identity brokering here. I will be calling internal realm to the realm that will be used from the internal Keycloak (test-login-1), and external realm to the realm that will be used from the external Keycloak (test-login-2).

For that go to the Admin Console and:

  • select your Realm from test-login-1, and click on Identity Providers
  • On the right side of the page select Keycloak OpenID Connect from the Add provider ... dropdown menu. It will popup the Add Identity Provider form, from there set:
  • the alias
  • the Authorization URL, Token URL, Logout URL, User Info URL and Issuer to the correspondent endpoints that can be found on the realm of test-login-2 on the .well-known endpoint (i.e., <KEYCLOAK_IP>/auth/realms/<External Realm Name>/.well-known/openid-configuration)
    • For the Client Authentication you can select Client secret send as post
    • For the Client ID and Client Secret first you need to create a new client in your external realm (of test-login-2) and use its Client ID and Client Secret here.
    • This client:
    • can have Access Type Confidential
    • Standard Flow Enabled : ON
    • Valid Redirect URIs set it to your Keycloak IP followed by "*", for instance <KEYCLOAK_IP>*
    • Web Origins : +
    • Save

Bear in mind that some of those configurations might have to be adapted to your own needs.

Now if everything was set correctly, at the keycloak (test-login-1) internal realm login page will show up a new button that the users stored on the external realm (of test-login-2) can click on to authenticate against the external realm.

Now you configure your app to lend at the Internal Realm Login page, the users from your internal realm authenticate immediately there, the users from the external realm click on the new button to explicitly authenticate against the external realm.



来源:https://stackoverflow.com/questions/65017085/how-to-check-authenticate-keycloak-instance-a-user-from-another-keycloak-instanc

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!