Keycloak and dynamic redirect URIs

This documentation describes the following scenario

Internal users

  • access the BPC via the address bpc.intern.de

  • cannot reach *.extern.de

    • External users*

  • access the BPC via the address bpc.extern.de

  • cannot reach *.intern.de

The keycloak can be accessed at keycloak.intern.de or keycloak.extern.de depending on the user. After logging in, each user must be redirected to their own address because they cannot reach the other address.

Solution BPC version < 4.2.13

The available options post_authentication_redirect_uri and post_logout_redirect_uri can alternatively receive an array as a value instead of a string. This contains value pairs consisting of a regular expression ('pattern') and a URI.

The Identity Provider metadata is normally queried via the setting IdentityProvider_URL. As this setting does not allow multiple values, an additional Parameter metadata_discovery_uri must be included in the configuration. This is then used instead and follows the above structure with the value pairs, consisting of a regular expression ('pattern') and a URI.

When a user goes through the authentication process, the respective URL (e.g. https://bpc.intern.de/) is validated one after the other against the regular expressions and the first hit then determines the specific value.

Example configuration
{
  "client_id": "bpc-core",
  "scope": "openid profile email address phone roles",
  "claim_name_roles": "bpc_client_roles,bpc_realm_roles",
  "client_secret": "8687ab26-830f-47ed-8ed1-6e62192ccd9c",
  "post_authentication_redirect_uri": [
     {
       "pattern": ".*extern.*",
       "uri": "https://bpc.extern.de"
    },
    {
      "pattern": ".*intern.*",
      "uri": "https://bpc.intern.de"
    }
  ],
  "post_logout_redirect_uri": [
     {
       "pattern": ".*extern.*",
       "uri": "https://bpc.extern.de"
     },
     {
       "pattern": ".*intern.*",
       "uri": "https://bpc.intern.de"
     }
  ],
  "metadata_discovery_uri": [
    {
       "pattern": ".*extern.*",
       "uri": "https://keycloak.extern.de/auth/realms/bpc/.well-known/openid-configuration"
    },
    {
       "pattern": ".*intern.*",
       "uri": "https://keycloak.intern.de/auth/realms/bpc/.well-known/openid-configuration"
    }
  ]
}

Solution BPC Version >= 4.2.13

The existing settings IdentityProvider_OIDC_MetadataDiscoveryURI, IdentityProvider_OIDC_PostAuthenticationRedirectURI and IdentityProvider_OIDC_PostLogoutRedirectURI contain an array as a value. This contains value pairs consisting of a regular expression (pattern) and a URI (uri).

When a user goes through the authentication process, the respective URL (e.g. https://bpc.intern.de/) is validated one after the other against the regular expressions and the first hit then determines the specific value.

Example configuration 'IdentityProvider_OIDC_MetadataDiscoveryURI'
[
  {
    "pattern": ".*extern.*",
    "uri": "https://keycloak.extern.de/auth/realms/bpc/.well-known/openid-configuration"
  },
  {
    "pattern": ".*intern.*",
    "uri": "https://keycloak.intern.de/auth/realms/bpc/.well-known/openid-configuration"
  }
]
Example configuration 'IdentityProvider_OIDC_PostAuthenticationRedirectURI'
[
  {
    "pattern": ".*extern.*",
    "uri": "https://bpc.extern.de"
  },
  {
    "pattern": ".*intern.*",
    "uri": "https://bpc.intern.de"
  }
]
Example configuration 'IdentityProvider_OIDC_PostLogoutRedirectURI'
[
  {
    "pattern": ".*extern.*",
    "uri": "https://bpc.extern.de"
  },
  {
    "pattern": ".*intern.*",
    "uri": "https://bpc.intern.de"
  }
]
Keywords:
Press Esc to exit full screen
Modal image placeholder
Press Esc to exit full screen