Is Keycloak right solution for my usecase

brijchavda · June 1, 2020, 7:16am

My Usecase is.

I have this saas solution. Lets say

web.foo.com

Users of this solution should be able to login using Github, Gitlab and few other Identity providers.

Each user logged in belongs to a particular tenant. and it has its own way to access the product.

for e.g

tenant.foo.com

When user logs in to web .foo.com and then goes to tenant .foo.com , it should automatically be logged in.

tenant .foo.com is also oauth enabled, which means, it needs to have the same access token , returned by github or gitlab, which user has used to login.

Can this be achieved using keycloak.

Thanks a lot in advance.

trotman23 · June 1, 2020, 4:49pm

You can configure Keycloak to store external IDP tokens, and then your tenant applications can retrieve them after a login:
https://www.keycloak.org/docs/latest/server_admin/index.html#retrieving-external-idp-tokens

polfilm · June 23, 2020, 6:47pm

@trotman23 I’m having issues retrieving external idp tokens. Is there any way we could confirm steps? I have described them here.

trotman23 · June 24, 2020, 10:50pm

Sure I’ll attempt to describe my setup and the steps I took from the documentation.

IDP

“Store Tokens” enabled
“Stored Tokens Readable” enabled (only matters for new users so could skip 4)

broker client

create a client role named read-token

other client (can be any OIDC client that gets an access token)

make sure there is a mapper for “client roles”. By default, this is part of the client scope called “roles”. If you don’t have that client scope assigned to this client, you can create a mapper with this configuration:

Screen Shot 2020-06-24 at 5.41.49 PM1041×615 33.3 KB

User (can skip if user was imported after “Stored Tokens Readable” was enabled

Assign the broker read-token role to your user

Screen Shot 2020-06-24 at 5.46.58 PM1096×192 11.1 KB

Complete a login and get the access token. Send a request to /auth/realms/{realm}/broker/{provider_alias}/token with the authorization header set to Bearer ${token} as described in the docs

Your token should contain client roles for the broker client in the resource_access claim:

"resource_access": {
    "broker": {
      "roles": [
        "read-token"
      ]
    }
}

FWIW, i’m on keycloak 9.0.3, but have performed these steps on previous versions as well with no issues.

polfilm · June 25, 2020, 2:43am

Dear @trotman23

I am very grateful for your hint. Your words from point #3 should really make it into Keycloak documentation.

I first tried the mapper and it worked, then I dropped the mapper and simply added “roles” from list to Assigned Default Client Scopes in my OIDC client.

Many many thanks.
Peter

enima · January 21, 2021, 8:54am

how Keycloak can request token with authorization code received from external Identity provider?

Topic		Replies	Views
Associate service account with external identity provider Getting advice identity-brokering , oidc	3	2291	December 22, 2020
How does keycloak login works with external oauth2 authorization server Getting advice	2	1076	December 10, 2022
Retrieve Identity Provider (Github) token identity-brokering	6	1420	July 26, 2022
Keycloak token for external idp(Azure) users Getting advice authentication , oidc	3	1859	February 4, 2021
Unable to retrieve (upstream) Identity Provider's original token	11	11595	January 4, 2023

Is Keycloak right solution for my usecase

Related Topics