Keycloak - Introspect tokens for different realms using master

Question

We are building an application where multiple clients can register and have their own user bases. For example a client "CompanyA" can register and then allow their users to access to our system with their own usernames (some from LDAP). "CompanyB" can also do the same, the usernames will be unique for one client but can be duplicated across clients.

We are using keycloak for this and have used the concept of realms to achieve this. When a new client registers we create a new realm for them and do the required configurations. This works as expected but we are having issues with our middleware.

Our middleware is Kong which has an OIDC plugin which we integrate with keycloak, however the plugin requires the realm name which in our case is actually going to be dynamic.

For example: When a user signs in from our UI he receives a token from their client's realm. Now when a user requests a resource from our backend, this request will go through kong.

Kong will introspect this token using its configured client and realm, however this cannot be selected dynamically so ideally I would want to have a configured client on the master realm for each client realm and use this magic client to introspect their tokens.

Is something like this possibel? If not what other avenues can I look into?

Answer 1

You can inspect the Access Token to see from which realm it was created.

If you decode the JWT token with something like https://jwt.io/ you will see a property on the token called issuer. That is the url of the realm that created the token.

So to get the realm, you do something like this:

import org.keycloak.TokenVerifier;
import org.keycloak.representations.AccessToken;
...

    AccessToken token = (AccessToken)TokenVerifier.create(tokenString, 
    AccessToken.class).parse().getToken();
    String realm = token.getIssuer().substring(token.getIssuer().lastIndexOf(47) + 1);