如何检查来自另一个 keycloak 实例 B 的身份验证 keycloak 实例 A 用户?
[英]How to check authenticate keycloak instance A user from another keycloak instance B?
问题描述
We setup a testing environment for keycloak.
我们为 keycloak 设置了一个测试环境。 The environment run on GCP.环境在 GCP 上运行。 It have two keycloak instances:它有两个 keycloak 实例:
- Instance A acts as a test login keycloak, named test-login-1实例 A 充当测试登录密钥斗篷,名为 test-login-1
- Instance B acts as a test external identity provider, named test-login-2实例 B 充当测试外部身份提供者,名为 test-login-2
We need to use the instance A to connect the instance B.我们需要使用实例 A 连接实例 B。
So instance A user can able to login via instance B.因此实例 A 用户可以通过实例 B 登录。
Is there any way to do this?有没有办法做到这一点? How can we implement this logic?我们如何实现这个逻辑?
1 个解决方案
解决方案1
2 已采纳 2020-11-26 07:41:01
You need to configure the test-login-2 as an identity provider for the test-login-1 .您需要将test-login-2 test-login-1身份提供者。 You can read about identity brokering here .您可以在此处阅读有关身份代理的信息。 I will be calling internal realm to the realm that will be used from the internal Keycloak ( test-login-1 ), and external realm to the realm that will be used from the external Keycloak ( test-login-2 ). I will be calling internal realm to the realm that will be used from the internal Keycloak ( test-login-1 ), and external realm to the realm that will be used from the external Keycloak ( test-login-2 ).
For that go to the Admin Console and:对于 go 到管理控制台,然后:
- select your
Realmfromtest-login-1, and click onIdentity Providersselect 你的Realm来自test-login-1,然后点击Identity Providers - On the right side of the page select
Keycloak OpenID Connectfrom theAdd provider... dropdown menu.在页面的右侧 select Keycloak OpenID Connect来自Add provider... 下拉菜单。 It will popup theAdd Identity Providerform, from there set:它将弹出Add Identity Provider表单,从那里设置: - the
aliasalias - the
Authorization URL,Token URL,Logout URL,User Info URLandIssuerto the correspondent endpoints that can be found on the realm oftest-login-2on the .well-known endpoint ( ie,<KEYCLOAK_IP>/auth/realms/<External Realm Name>/.well-known/openid-configuration)the Authorization URL,Token URL,Logout URL,User Info URLandIssuerto the correspondent endpoints that can be found on the realm oftest-login-2on the .well-known endpoint ( ie,<KEYCLOAK_IP>/auth/realms/<External Realm Name>/.well-known/openid-configuration)- For the
Client Authenticationyou can selectClient secret send as post对于Client Authentication,您可以 selectClient secret send as post - For the
Client IDandClient Secretfirst you need to create a newclientin your externalrealm(oftest-login-2) and use itsClient IDandClient Secrethere.对于Client ID和Client Secret,首先您需要在外部realm(属于test-login-2)中创建一个新client,并在此处使用其Client ID和Client Secret。 - This client:这个客户:
- can have
Access TypeConfidential可以有Access TypeConfidential -
Standard Flow Enabled:ONStandard Flow Enabled:ON -
Valid Redirect URIsset it to your Keycloak IP followed by"*", for instance<KEYCLOAK_IP>*Valid Redirect URIs将其设置为您的 Keycloak IP 后跟"*",例如<KEYCLOAK_IP>* -
Web Origins:+Web Origins:+ -
Save
- For the
Bear in mind that some of those configurations might have to be adapted to your own needs.请记住,其中一些配置可能必须根据您自己的需要进行调整。
Now if everything was set correctly, at the keycloak ( test-login-1 ) internal realm login page will show up a new button that the users stored on the external realm (of test-login-2 ) can click on to authenticate against the external realm.现在,如果一切设置正确,在 keycloak ( test-login-1 ) 内部 realm 登录页面将显示一个新按钮,存储在外部 realm 上的用户(属于test-login-2 )可以单击以针对外部 realm。
Now you configure your app to lend at the Internal Realm Login page, the users from your internal realm authenticate immediately there, the users from the external realm click on the new button to explicitly authenticate against the external realm. Now you configure your app to lend at the Internal Realm Login page, the users from your internal realm authenticate immediately there, the users from the external realm click on the new button to explicitly authenticate against the external realm.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.