We setup a testing environment for keycloak. The environment run on GCP. It have two keycloak instances:
- Instance A acts as a test login keycloak, named test-login-1
- Instance B acts as a test external identity provider, named test-login-2
We need to use the instance A to connect the instance B.
So instance A user can able to login via instance B.
Is there any way to do this? How can we implement this logic?
You need to configure the
test-login-2
as an identity provider for thetest-login-1
. You can read about identity brokering here. I will be callinginternal realm
to the realm that will be used from the internal Keycloak (test-login-1
), andexternal realm
to the realm that will be used from the external Keycloak (test-login-2
).For that go to the Admin Console and:
Realm
fromtest-login-1
, and click onIdentity Providers
Keycloak OpenID Connect
from theAdd provider
... dropdown menu. It will popup theAdd Identity Provider
form, from there set:alias
Authorization URL
,Token URL
,Logout URL
,User Info URL
andIssuer
to the correspondent endpoints that can be found on the realm oftest-login-2
on the .well-known endpoint (i.e.,<KEYCLOAK_IP>/auth/realms/<External Realm Name>/.well-known/openid-configuration
)Client Authentication
you can selectClient secret send as post
Client ID
andClient Secret
first you need to create a newclient
in your externalrealm
(oftest-login-2
) and use itsClient ID
andClient Secret
here.Access Type
Confidential
Standard Flow Enabled
:ON
Valid Redirect URIs
set it to your Keycloak IP followed by"*"
, for instance<KEYCLOAK_IP>*
Web Origins
:+
Save
Bear in mind that some of those configurations might have to be adapted to your own needs.
Now if everything was set correctly, at the keycloak (
test-login-1
) internal realm login page will show up a new button that the users stored on the external realm (oftest-login-2
) can click on to authenticate against the external realm.Now you configure your app to lend at the Internal Realm Login page, the users from your internal realm authenticate immediately there, the users from the external realm click on the new button to explicitly authenticate against the external realm.