0

Hi and excuse me for large text.

I have a REST app with a module for communication with Keycloak. I use Keycloak "admin" user in realm to manage users. Also, perform REST calls to obtain an access token for user using username and password. So my backend app is a kind of proxy.

Now I need to implement integration with another IDP (BankID), and both (Keycloak and BankId) should be in use.

A user on UI redirects to the BankID login page after successful authentication is redirected to UI with code, and UI makes the call to the backend, where backend using received code from UI request sensitive data from BankID IDP. In response, I receive an email and the rest of the information. So, this user is trusted, and I should retrieve Keycloak access_token for this user using received mail from another IDP (because this user was registered in Keycloak previously 100%).

And here is a problem - I can't retrieve token for this user from Keycloak because I have only email and no password. I have no idea how can I rich this without a user password that is stored on the Keycloak side.

I tried Token Exchange, Impersonation, Direct Naked Impersonation, but nothing help (hoppy I did something wrongly and it is possible to do)

Marko Vovchok
  • 3
  • 5
  • Have you configured the external IDP as a Keycloak IDP or do you redirect the user not via Keycloak to your IDP but directly? – Philipp Jul 04 '20 at 06:49
  • I redirect directly to external IDP, but this is not my organization IDP - I don't have any control over it. But Keycloak is located in my organization and I can do whatever I want with it (but can't retrieve access_token for user without users's password) – Marko Vovchok Jul 04 '20 at 17:10
  • Why do you not configure your IDP in keycloak, then redirect from your app to keycloak and you let keycloak take care of the authentication towards your IDP (redirect, etc)? So your identity provider would be your IDP and your token issuer would be keycloak – Philipp Jul 04 '20 at 21:15
  • Cause don't wont to use Keycloak UI (we are using Vue.js and it is much easier to maintain and develop). – Marko Vovchok Jul 05 '20 at 09:15
  • Okay, understand. But you don't have to show the Keycloak login form. You can redirect to your IDPs login form directly. Maybe this solves your issue: https://www.keycloak.org/docs/latest/server_admin/index.html#default_identity_provider – Philipp Jul 05 '20 at 09:49
  • @Philipp thanks a lot for your interest! I missed 'subject_token' and after defining it - impersonation finally start work! – Marko Vovchok Jul 11 '20 at 20:52

0 Answers0