[英]How to check authenticate keycloak instance A user from another keycloak instance B?
We setup a testing environment for keycloak.我们为 keycloak 设置了一个测试环境。 The environment run on GCP.环境在 GCP 上运行。 It have two keycloak instances:它有两个 keycloak 实例:
We need to use the instance A to connect the instance B.我们需要使用实例 A 连接实例 B。
So instance A user can able to login via instance B.因此实例 A 用户可以通过实例 B 登录。
Is there any way to do this?有没有办法做到这一点? How can we implement this logic?我们如何实现这个逻辑?
You need to configure the test-login-2
as an identity provider for the test-login-1
.您需要将test-login-2
test-login-1
身份提供者。 You can read about identity brokering here .您可以在此处阅读有关身份代理的信息。 I will be calling internal realm
to the realm that will be used from the internal Keycloak ( test-login-1
), and external realm
to the realm that will be used from the external Keycloak ( test-login-2
). I will be calling internal realm
to the realm that will be used from the internal Keycloak ( test-login-1
), and external realm
to the realm that will be used from the external Keycloak ( test-login-2
).
For that go to the Admin Console and:对于 go 到管理控制台,然后:
Realm
from test-login-1
, and click on Identity Providers
select 你的Realm
来自test-login-1
,然后点击Identity Providers
Keycloak OpenID Connect
from the Add provider
... dropdown menu.在页面的右侧 select Keycloak OpenID Connect
来自Add provider
... 下拉菜单。 It will popup the Add Identity Provider
form, from there set:它将弹出Add Identity Provider
表单,从那里设置:alias
alias
Authorization URL
, Token URL
, Logout URL
, User Info URL
and Issuer
to the correspondent endpoints that can be found on the realm of test-login-2
on the .well-known endpoint ( ie, <KEYCLOAK_IP>/auth/realms/<External Realm Name>/.well-known/openid-configuration
) the Authorization URL
, Token URL
, Logout URL
, User Info URL
and Issuer
to the correspondent endpoints that can be found on the realm of test-login-2
on the .well-known endpoint ( ie, <KEYCLOAK_IP>/auth/realms/<External Realm Name>/.well-known/openid-configuration
)
Client Authentication
you can select Client secret send as post
对于Client Authentication
,您可以 select Client secret send as post
Client ID
and Client Secret
first you need to create a new client
in your external realm
(of test-login-2
) and use its Client ID
and Client Secret
here.对于Client ID
和Client Secret
,首先您需要在外部realm
(属于test-login-2
)中创建一个新client
,并在此处使用其Client ID
和Client Secret
。Access Type
Confidential
可以有Access Type
Confidential
Standard Flow Enabled
: ON
Standard Flow Enabled
: ON
Valid Redirect URIs
set it to your Keycloak IP followed by "*"
, for instance <KEYCLOAK_IP>*
Valid Redirect URIs
将其设置为您的 Keycloak IP 后跟"*"
,例如<KEYCLOAK_IP>*
Web Origins
: +
Web Origins
: +
Save
Bear in mind that some of those configurations might have to be adapted to your own needs.请记住,其中一些配置可能必须根据您自己的需要进行调整。
Now if everything was set correctly, at the keycloak ( test-login-1
) internal realm login page will show up a new button that the users stored on the external realm (of test-login-2
) can click on to authenticate against the external realm.现在,如果一切设置正确,在 keycloak ( test-login-1
) 内部 realm 登录页面将显示一个新按钮,存储在外部 realm 上的用户(属于test-login-2
)可以单击以针对外部 realm。
Now you configure your app to lend at the Internal Realm Login page, the users from your internal realm authenticate immediately there, the users from the external realm click on the new button to explicitly authenticate against the external realm. Now you configure your app to lend at the Internal Realm Login page, the users from your internal realm authenticate immediately there, the users from the external realm click on the new button to explicitly authenticate against the external realm.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.