Replies: 1 comment
-
|
Somehow I missed this statement in the document I posted: Keycloak requires the sub claim in the assertion to be the user identifier in the external provider. The Keycloak user should be previously linked to the Identity Provider. This way there is a link between the external and the internal user ID. Which I guess answers my initial question. Is there anyway that the linking of the user and the keycloak user can be automated? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
I have been investigating the preview feature 'JWT Authorization Grant' https://www.keycloak.org/securing-apps/jwt-authorization-grant for external to internal token exchange and have found that I can generate a token in the configured Okta IDP and then exchange that Token using the end point /realms/{realim}/protocol/openid-connect/token for a Keycloak token.
The end goal of this work is to allow a third party application pass an IDP token to our application which will then authenticate with Keycloak using the IDP token.
This works, as long as the IDP user already exists in Keycloak. If the IDP user does not exist in Keycloak I get a 'user not found' error.
If I login using the browser for the same IDP I can use the first broker login flow to automatically create the user.
My questions are:
Beta Was this translation helpful? Give feedback.
All reactions