I'm working on an use case where I want to setup mutual AUTH based authentication for user present in my external KeyCloak.
For configuration purpose, I have added my external KeyCloak in my internal identity provider for brokering purpose. Apart from this I added a new authentication mechanism which is having idp-redictor redirecting to external KeyCloak, followed by X509/Validate Username Form and Password Authentication.
Reference for system setup Keycloak brokering with mutual auth
Current flow after above setup:
- Client sends request to internal KeyCloak with certificate.
- Internal KeyCloak captures the request and send back 302 to my client. Telling client to redirect to external KeyCloak.
- Client doesn't understand the http status code and cancels the request.
Client in this case is POSTMAN.
I want to achieve a scenario where my request with certificate gets redirected to external KeyCloak. External KeyCloak authenticates the credentials and sends a token back to internal KeyCloak, internal KeyCloak checks the token and apply role mapping accordingly and gives access to the resource that I'm trying to access.
My first question is, Do I need to setup some sort of mediator that checks and take care of redirection?
My second question, Is this the optimal scenario for API authentication with KeyCloak acting as broker for external KeyCloak in terms of design and setup? Or am I missing something?
There's no issue with my authentication setup, certificate checking works fine if I remove brokering and just rely on internal KeyCloak for authentication and role mapping.