Hello, I hope you can help with the following use case. The company I work for requires installing a Keycloak service on-premises (cluster) and a Keycloak service in Azure. The token generated on-premises is required to work in Azure and vice versa. Is this configuration possible? If so, how can I achieve it? Thank you.
Hello,
There are probably a few ways to achieve what you’re looking for, but maybe first make sure to properly design what you are trying to do from a security perspective.
Making “the token work” has a certain depth of uncertainty - what do you mean exactly? Are both Keycloak-instances copies, so same realms, user-bases, clients etc. - i guess not?
So how do they differ - and what does “should work” mean exactly?
From my guessing, you try to achieve a kind of SSO, where being logged in in one KC allows you acces “as if you were logged in” on the other - which calls for an IdP-Link between them:
KC OnPrem –> IdP: KC Azure
KC Azure –> IdP: KC OnPrem
That of course would require proper accessibility over the network.
IF you set this up alike, you end up with a kind of generic SSO-UseCase enabling you to select the IdP, Auto-Redirect or detecting it by other means.
Regarding clients you may need to check if there are any specific permissions to be setup though or how to treat the users from the external KC.
Slight Note of Warning though: If you set it up like this, you are building a loop which you usually never want! (Azure KC –> Login with OnPrem KC –> Login with Azure KC –> …)
Hence my initial Note to properly draw up what you like to achieve?
Other Options:
- Combine both KC Instances as one distributed Cluster?
- Configure an explicit TokenExchange between them if needed.
Just please DO NOT come to the idea of sharing keys 
Regards, Simon