Keycloak as an Identity Broker & an Identity Provider
In this post, we will understand the concept of using Keycloak as an identity Broker & an Identity Provider. Let’s go over the basic flow before moving ahead.
- Identity Provider: An application or system that manages identity information. Allow you to create & manage it.
Eg:- You can read another post which explains using GitHub as a Social Identity provider: Github as Identity Provider in Keycloak
- Identity Broker: an intermediatory service that lets you connect with the Identity Providers.
Eg:- Broker lets you authenticate or authorize using Identity Provider and let you use the resource linked with Broker. Without re-creating authentication.
Use Case
You might have two different Keycloak instance running: one for the external users (Keyloak-External)and another for the internal employees (Keycloak-Internal). Now you want to allow your employees to also authenticate with external service without going for registering a new account the external Keycloak. In such a scenario we can use External Keycloak as Broker and Internal Keycloak as Provider.
Setup
Two Instance of Keycloak Version: 11.0.2
- Keycloak-External (127.0.0.1:8081)
- Keycloak Internal (127.0.0.1:8080) default
Update the ports: keycloak-x.x.x/standalone/configuration/standalone.xml
Create a realm
- realm:“keycloak-external-broker” in Keycloak External (127.0.0.1:8081)
- realm “keycloak-internal-identity” in Keycloak Internal (127.0.0.1:8080)
Register an Identity Provider
In the Identity Providers: select “Keycloak-odic”. I have updated the Alias & Display Name as per our use-case.
- Configure the Authorization URL: Keycloak internal
http://<host>:<ip>/auth/realms/<realm>/protocol/openid-connect/auth
- Client ID: Broker
- Client Secret: Copy from the Broker client. (Keycloak Internal: 127.0.0.1:8080)
Keycloak Internal
- Update the Valid Redirect URI:
http://<host>:<ip>/auth/realms/<realm>/broker/keycloak-internal/endpoint
That’s all you need. Create a demo user from the user's section in Keycloak Internal (127.0.0.1:8080).
Now visit URL: External Account login
http://127.0.0.1:8081/auth/realms/keycloak-external-broker/account
We will use the “Employee Login” option for internal users. It will redirect to the internal Keycloak instance.
Now you can see the User: test is logged into external Keycloak.
Conclusion
Brokering & Identity provider is a powerful pattern that can help deal with the most complex problem of handling authentication & authorization. Keycloak supports both & allow to extend further with a custom implementation.
If you like this post, give a Cheer!!!
Follow the Collection: Keycloak for learning more…
Happy Secure Coding ❤