Our application has it's own login/signup and user management portal. We don't want to redirect the user to keycloak login page, due to which authorization code grant flow is out of the picture. I am trying to find a way to use spring cloud gateway's TokenRelay filter with password grant.
Related
I have created identity provider and from browser it's working fine.
Reference : Keycloak Identity provider post-broker-login throwing error
From browser I can do login with external IDP and if the external IDP user is not there in keycloak it gets created in the keyclock that is absolutely fine and redirect to dashboard.
But my question is how can we do this flow with keycloak rest api?
Is there any api for to login with external IDP and will get the token of external IDP as well as token of keycloak?
For the typical user authentication use-case, ideally the user would simply get redirected to the Keycloak login page of your realm, would click on the external IDP, and proceed with the authentication process.
But my question is how can we do this flow with keycloak rest api?
Via the Keycloak Rest API I do not think you can perform this exact flow, at least not out-of-the-box.
Is there any api for to login with external IDP and will get the token
of external IDP as well as token of keycloak?
You can use the Keycloak's Direct Access Grand flow (aka Resource Owner Password Credentials Grant in terms of OAuth2 specification), exchange the user's credentials for a token from the External IDP. Afterwards, you can then perform an external-to-internal token exchange of the token from the external IDP for a token from your internal Keycloak realm.
Bear in mind, however, that some might consider this approach has not being a good practice, read more about it in this stack overflow thread.
I've configured a SPA application with a Azure B2C user flow to sign in on my SSO (based on Keycloak) using OpenId. Then I've configured another application with a Azure B2C custom policy to sign in on the same SSO, but using SAML.
I have another application on AWS directly connected to KeyCloak with another client.
The user can authenticate on both my Azure B2C, then navigate to the KK app, where the user is already authenticated.
This is not happening in the other way. If the user authenticate on the KK app the session isn't shared with the AzureB2C apps and he has to do the login again. Likewise the session is not maintained between the two AzureB2C applications.
My custom policy is based on SocialAccounts of MS Starter Pack. And this is my UserFlow session configuration.
Any suggestion on what I'm doing wrong?
If I am logging in to some site xyz.com using facebook or google or twitter account credentials - then what type of OAuth grant type is it?
Because there are several grant types used by OAuth, I want to know which particular grant type is used in above scenerio.
Client Credentials Grant:-
This grant type is for apps that can request an access token and access resources on its own. These apps often use services that call APIs without users.
Client Credentials Grant Type Roles
The Client Credentials grant type uses the following roles:
Application: A client that makes protected requests using the authorization of the resource owner.
Authorization Server: The Single Sign‑On server that issues access tokens to client apps after successfully
authenticating the resource owner.
Resource Server: The server that hosts protected resources and accepts and responds to protected resource requests using access tokens. Apps access the server through APIs.
I want to secure a rest service with basic authentication. The credentials should be used to obtain an access token from a keycloak instance for that client and check the allowed roles on the service.
The quarkus security architecture guide states that at least one extension installed that provides a username/password based IdentityProvider is required. It refers to JPA IdentityProvider and JDBC IdentityProvider, only. But I want to authenticate agains keycloak.
I have successfully setup a web app and a rest service with quarkus-oidc. It authenticates the user and provides access to the rest service via access token.
I also used properties files with basic authentication successfully.
My keycloak myclient setup has Direct Access Grants Enabled with Access Type set to confidential.
My configuration in application.properties:
quarkus.oidc.enabled=true
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/myrealm
quarkus.oidc.client-id=myclient
quarkus.oidc.credentials.secret=secret
quarkus.http.auth.basic=true
Is this a valid combination?
When I debug into HttpAuthenticator constructor the only mechanism found is OidcAuthenticationMechanism, I'd expect BasicAuthenticationMechanism to be present.
As per Keycloak documentation when the user is logs in through identity brokering, Keycloak checks and creates user in realms local database as part of First Broker Login Flow.
Is there a way to disable user onboarding in Keycloak local database and always check for the authentication from IDP instead of local database?
And what is the rationale behind this default Keycloak implementation as there are some basic issues like user data synchronisation between Keycloak and IDP?