Open in app

Sign in

Write

Sign in

Keycloak as an Identity Broker & an Identity Provider

Abhishek koserwal
Keycloak
Published in
3 min readSep 12, 2020

In this post, we will understand the concept of using Keycloak as an identity Broker & an Identity Provider. Let’s go over the basic flow before moving ahead.

Keycloak as an Identity Broker & as an Identity Provider
  • Identity Provider: An application or system that manages identity information. Allow you to create & manage it.

Eg:- You can read another post which explains using GitHub as a Social Identity provider: Github as Identity Provider in Keycloak

  • Identity Broker: an intermediatory service that lets you connect with the Identity Providers.

Eg:- Broker lets you authenticate or authorize using Identity Provider and let you use the resource linked with Broker. Without re-creating authentication.

Use Case

You might have two different Keycloak instance running: one for the external users (Keyloak-External)and another for the internal employees (Keycloak-Internal). Now you want to allow your employees to also authenticate with external service without going for registering a new account the external Keycloak. In such a scenario we can use External Keycloak as Broker and Internal Keycloak as Provider.

Setup

Two Instance of Keycloak Version: 11.0.2

  • Keycloak-External (127.0.0.1:8081)
  • Keycloak Internal (127.0.0.1:8080) default

Update the ports: keycloak-x.x.x/standalone/configuration/standalone.xml

Keycloak External (127.0.0.1:8081)

Create a realm

  • realm:“keycloak-external-broker” in Keycloak External (127.0.0.1:8081)
  • realm “keycloak-internal-identity” in Keycloak Internal (127.0.0.1:8080)

Register an Identity Provider

In the Identity Providers: select “Keycloak-odic”. I have updated the Alias & Display Name as per our use-case.

  • Configure the Authorization URL: Keycloak internal
http://<host>:<ip>/auth/realms/<realm>/protocol/openid-connect/auth
  • Client ID: Broker
  • Client Secret: Copy from the Broker client. (Keycloak Internal: 127.0.0.1:8080)

Keycloak Internal

  • Update the Valid Redirect URI:
http://<host>:<ip>/auth/realms/<realm>/broker/keycloak-internal/endpoint

That’s all you need. Create a demo user from the user's section in Keycloak Internal (127.0.0.1:8080).

Now visit URL: External Account login

http://127.0.0.1:8081/auth/realms/keycloak-external-broker/account

We will use the “Employee Login” option for internal users. It will redirect to the internal Keycloak instance.

Now you can see the User: test is logged into external Keycloak.

Conclusion

Brokering & Identity provider is a powerful pattern that can help deal with the most complex problem of handling authentication & authorization. Keycloak supports both & allow to extend further with a custom implementation.

If you like this post, give a Cheer!!!

Follow the Collection: Keycloak for learning more…

Happy Secure Coding ❤

Broker
Identity
Keycloak
Openid Connect

--

--

Abhishek koserwal
Keycloak

Written by Abhishek koserwal

382 Followers
Editor for

#redhatter #opensource #developer #kubernetes #keycloak #golang #openshift #quarkus #spring

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams