Hi,
I’m trying to get external to internal to work.
My situation is quite basic, I’m starting with 2 Keycloaks working together, KC-IDP and KC2.
KC2 should not need any users, it uses KC-IDP as an identity provider.
It’s there to provide JWT to control access to some services, the services don’t want to know about KC-IdP.
Anyone wants to call a service, they get a token from KC-IDP, and then use it to get a token to KC2 and use that one to call the service.
KC-IDP has some users and some attributes and roles that makes it fine into the claims, it has 2 clients, one called “login”, and one called “kc2”, they have mappers for the JWT.
KC2 defines some roles, realm and client. The client is “dest”, cos it’s the destination client.
My aim is to start with a token from KC-IDP/“login”, and end with a token from KC2/“dest”.
All using curl and REST.
First what works, then what doesn’t.
This works, using only Keycloak UIs:
- define all the stuff above.
- define an Identity Provider (IdP) in KC2 (of the type Keycloak OIDC)
- define mappings in the IdP
** from claim to attribute
** from claim to role - log in to KC2, get redirected to KC-IDP (yay!), go back to KC2, login successful (yay!).
- user was created in KC2 (yay!)
- user has attribute (yay!)
- user has role (yay!)
This looks good, and actually I thought I had made it. The login goes to KC-IDP with the appropriate client, IdP mappers work fine, I can even define a realm-admin with the admin role, so basically I don’t need any user in KC2 any more.
This also works, using curl REST:
- get a token from KC-IDP/“login” client
- exchange it inside KC-IDP (internal exchange) from “login” to “kc2” clients (yay)
- call KC2 to exchange it for a token from KC2/“dest” (this took me some time but now it’s ok)
Again, I thought this was the end of it. I actually managed to exchange external to internal. I hop from one KC client to another, just like I wanted. Users are created on the fly.
What doesn’t work:
- the mapping from claim to role in the IdP does not work. The final token (KC2/“dest”) does not have any role.
- the mapping from claim to attribute does not work. However… it works the second time around: this time the user already exists, it is already linked to the IdP, and the user ends up with some attributes, who end up in the JWT.
So I end with an unusable token, because it has no claims to anything in KC2.
(except for some attributes if I run it all twice)
I have tried peeking into the code, to no avail. I have a feeling there’s something I missing.
I checked and there are sessions created for my users when I do the token exchange.
BTW, the client mappers behave exactly as expected, they return the proper JWT given the attributes and roles that the user has.
Any ideas?
Has anyone succeeded in getting internal to external to work with mapping using tokens (not login)?
thanks