You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
---
config:
mirrorActors: false
---
sequenceDiagram
box Domain A
participant IDPA as External IdP
participant C as Client
end
box Domain B
participant IDPB as Keycloak
participant RS as REST API
end
C->>IDPA: Exchange token
IDPA->>C: Assertion
C->>IDPB: Token request, with assertion
IDPB->>C: Token response
C->>RS: Request with token
Loading
Value Proposition
This provides a better flow compared to Keycloak's token exchange for a few reasons:
Clean separation - token exchange is used for internal tokens; while authorization grants are used for external tokens
Standards based - even though the specification is a draft it builds on leveraging two final specifications, but the specification is seeing a lot of traction; including extensions built on-top of it like Identity Assertion Authorization Grant
There is a clear trust relationship with both IdPs taking part of the cross-domain requests
End of the day Keycloak's token exchange for external to internal flows would require two requests; the client would first need to do a token exchange request to the local IdP to obtain a token with the external IdPs as the audience, and afterwards a second token exchange request to the external IdP to obtain a token with the external issuer and external audiences.
Description
OAuth Identity and Authorization Chaining Across Domains enables applications to access resources across multiple trust domains.
This is done by utilising the following specifications:
A simplified view of the flow involved:
--- config: mirrorActors: false --- sequenceDiagram box Domain A participant IDPA as External IdP participant C as Client end box Domain B participant IDPB as Keycloak participant RS as REST API end C->>IDPA: Exchange token IDPA->>C: Assertion C->>IDPB: Token request, with assertion IDPB->>C: Token response C->>RS: Request with tokenValue Proposition
This provides a better flow compared to Keycloak's token exchange for a few reasons:
End of the day Keycloak's token exchange for external to internal flows would require two requests; the client would first need to do a token exchange request to the local IdP to obtain a token with the external IdPs as the audience, and afterwards a second token exchange request to the external IdP to obtain a token with the external issuer and external audiences.
Goals
TBD
Non-Goals
TBD
Discussion
No response
Notes
No response