Skip to main content

Hi!
We’d like to be able to access data from the Projections REST API with maintained end user authorization from a third-party web application with it’s own backend REST API, preferably with AzureAD as our primary SSO IDP. 


We have configured an IAM Identity provider in IFS cloud.
The problem is that tokens issued by the AzureAD is not accepted by IFS Cloud/Keycloak, and we can’t find a way to do “token-exchange” or get a token for the user “on-behalf-of” via a confidential IAM Client. Those features seems to be disabled in keycloak.

(We can authenticate directly towards IFS Cloud/keycloak and get a token for accessing the projections but in our use-case, this would require two logins, one to Azure, and one to IFS Cloud)

Is there any way we can use AzureAD as our primary IDP, and use that access token to query projections with maintained end-user permissions?

 

Hi @Mikael Nilsson 

 

If your IFS is setup with same AzureAD, then you could create a public IAM client and then you could use the same authentication for your API call. Is that what you want to achieve?

 

/Damith

 

I want to be able to use the authentication from the same (AzureAD) IDP that i set up as external IAM Identity provider directly without having to prompt the end-user to authenticate for the public client (keycloak).

Something like token-exchange, on-behalf-of or worst case CIBA would kind of resolve my requirements, but none of these flows seems to be active/enabled in keycloak out-of-the-box, and since this is supposed to be SaaS, we’d prefer minimal requirements for custom configuration on the customers IFS/Keycloak.

EDIT: Or use a confidential client from our back-end API to the projections API, but with impersonation of the actual end user to maintain user permissions and identity, if that is in any way possible?

Hi @Mikael Nilsson 

 

If you are using the browser based authentication, then it should be able to authenticate instead of going to the login page again?

I also noticed that IFS sets some cookies with the response to authorization end point.

Keycloak cookies : KEYCLOAK_SESSION,Oauth_token_request_state, KEYCLOAK_IDENTITY - Stack Overflow

 

maybe you could use them to make the SSO working?

Confidential client from backend-API: then it will be authenticated as service user attached to the IAM client and I’m not sure if any impersonation is possible with this scenario.

 

I’m also pretty much interested in this topic and please keep posted with your findings :)

 

Cheers!

Damith

Reply


Terms & ConditionsCookie settings