Is there a way to generate the same token for several realms in keycloak?
So that an authentication URL would look like this, for example:
http://localhost:8888/auth/"multiple realm"/glide/protocol/openid-connect/token
Thanks
No, that's not possible:
A realm manages a set of users, credentials, roles, and groups. A user belongs to and logs into a realm. Realms are isolated from one another and can only manage and authenticate the users that they control.
https://www.keycloak.org/docs/latest/server_admin/#core-concepts-and-terms (definition of "realms")
If you could explain why you want to do this, I (or someone else) could maybe suggest a better alternative.
Related
it looks like I got stuck and I need some help on solving this authentication/authorization problem.
I have an Okta installation, outside of my control, which supports OIDC but doesn't allow to easily manage roles and also does not support the token exchange flow.
I was hoping to use Keycloak as sort of sidecar/federated system to store users' roles, but I still need to perform the authentication against Okta, simply because that's the one storing the user credentials and I cannot have direct access to those.
Also, I cannot expose Keycloak to the end users, due to security constraints.
In other words, the client can only reach Okta and must authenticate on Okta, but since I can't store user roles on Okta I wish to use Keycloak for that and query Keycloak from my backend application to query for user roles, all of that without using the token exchange flow....
Any ideas how can I achieve that, if possible at all?
Thank you in advance.
Im thinking of using Auth0 for my API and web application and have a query . When the Jwt token is generated I would like to include some custom user claims that only exist in my user database. Is this possible or do all claims need to exist as pre-defined attributes in Auth0.
I have my own user database because there are some dynamic and complicated user permissions that I need to store there. I realize that one option is not to store these permissions in the token and I could have a separate api to get them but for performance and simplicity I'd rather wrap them into the Jwt token. I can't seem to see a way to do this.
Thanks in advance
You can do that using Rules and Custom Claims, and they don't have to be predefined or even persistent in a user profile.
See
https://auth0.com/docs/scopes/current/custom-claims
https://auth0.com/docs/api-auth/tutorials/adoption/scope-custom-claims
for docs and examples.
I have an intranet application which I want to simply authenticate the users by their network ids. The users are considered trusted and I want to login the users without their interactions. In this case, which flow should I use?
I made it work with resource owner flow but I think this approach is not good enough. If I use Implicit Flow or Authorization Code Flow, can I achieve the goal that the users do not need involved in the login process? Which means the users do not need to consent to the authentication requests?
Thank you!
Consent is just a client setting (RequireConsent). But it sounds like you also want something like Windows integrated authentication.
This makes me wonder if you need an extra token service at all - since you already have one (called Windows domain controller).
In our OpenAM implementation, we have two realms with different relying parties configured in it. Both the realms authenticate against the same LDAP source.
We adopted this configuration to avoid certain edge cases.
Now, whenever we switch between the relying parties in these realms, the new organisation warning message keeps showing up:
"You have already logged in. Do you want to log out and then login to
a different organisation?"
Is there a way to seamlessly allow users to access the different realms using the same authenticated session ?
TIA
Short answer no. A session is associated with one realm, so a user a can not be authenticated to two realms at the same time.
Perhaps a better strategy is to examine why two different realms are required. It sounds like the two RPs should really be in the same realm if they serve the same group of users.
We are a service provider. Suppose in our application, we originally have our own user/role management. Different users with different roles are allowed to use different features. So that when a user login we need to know which roles this user has, and prepare appropriate UI. We have administrator role, users with this role can assign roles to other users.
We are thinking of enabling SAML SSO for our application, now the problem is how do we setup roles for each user.
Solution 1, we relies on IdP to provide role information for each login user, the role information may come along with Assertion, but this may not work for all the IdPs.
Solution 2, we only retrieve user from the IdP, and manage the roles in our own application. For example, when we get an Assertion, we retrieve the username(or email address), and match with a record in our DB, if it doesn't exist we automatically create one for this new user. Then we rely on users with administrator role to assign correct role for this new user.
Now the questions is where is the first administrator coming from? Our customer gets our application, and turns on SAML SSO, now there is no users in the DB yet, then how can we resolve such bootstrapping issue? Is there any kinds of standard way? We have come up with different options but not sure which is better and what are the concerns for each options.
Option 1, have a default built-in administrator user. There is a regular native login page that built-in users can login without going through IdP(there is an option to turn it on/off if SAML SSO is enabled)
Option 2, during SAML SSO setup, ask for the administrator user name, so that we automatically create this user in our DB with administrator role. Then when this user login through IdP we could match him in our DB.
What are the other options?
For your first question about who should handle the roles. As I understand every customer has your One of your service provider software. And it connects to a central IDP that you own. If this is the case, it feels like its to complex letting the administrators handle roles on your IDP. I would go for number two.
About question number two. I have been in the same situation I can not remember that I have seen a obvious standard solution for this.
What we did was option 2. It works fine but it adds some complexity to the install procedure. We choose it because we would not have a native login page.
I thing maybe I would be better to go with option 1.
You can get the roles from the different directories of your IDP using your authorization layer. It removes the constraints on SAML and gives the same results as your solution 1.