Authentication with external redirect

Getting advice
1

Hi,

I’m using Keycloak as an SSO provider, and have implemented a custom Authenticator for some custom authentication methods which work just fine.
However, I’m trying to add another authentication method which is via an external website (it works kind of like FB/Google social Identity Provider login; except it does not support OIDC) - it redirects you to an external page, you enter your credentials, and from there the user is redirected back to an endpoint in Keycloak with a payload that has the necessary user details.
For this redirect back from the external website, I have created a custom REST endpoint with RealmResourceProvider & RealmResourceProviderFactory. I am able to get the payload with user data, but in this endpoint (RealmResourceProvider), I am not able to authenticate the user in any way - there is no AuthenticationFlowContext. When the user is redirected back to Keycloak, a new KeycloakSession is also created so basically nothing about the initial request still exists for access…
So my question is basically if there is a way to create the AuthenticationFlowContext in a RealmResourceProvider? Or authenticate the user in any way in RealmResourceProvider? Or is there some other way to get a working auth flow going?

2

Managed to get it working by saving the initial URL that the user lands on in a cookie (before they are redirected out of Keycloak) like so:

String url = context.getActionUrl("code1", true).toString();
        CookieHelper.addCookie("cookieName", url, "/", null, null, 300, true, true, ServerCookie.SameSiteAttributeValue.NONE);

Then, when redirecting back from external site into the RealmResourceProvider REST endpoint, I get the cookie

String redirectUrl = CookieHelper.getCookieValue("cookieName").iterator().next();

I split the querystring to a map (get auth_session_id, client_id and tab_id from ths querystring), and initialize a new SessionCodeChecks object and init a new AuthenticationSessionModel. Then I add the payload from external response to the authSession AuthNote

        SessionCodeChecks sessionCodeChecks = new SessionCodeChecks(realm, context.getUri(), httpRequest, context.getConnection(), session, event, queryParams.get("auth_session_id"), null, null, queryParams.get("client_id"),  queryParams.get("tab_id"), null);
AuthenticationSessionModel authSession = sessionCodeChecks.initialVerifyAuthSession();
        authSession.setAuthNote("authNoteKey", payload); //payload is basically a bunch of parameters serialized to a string

And finally, I redirect the client back to the initial login form (with same URL that I saved in cookie before)

        Response.ResponseBuilder builder = Response.seeOther(URI.create(redirectUrl));
        return builder.build();

Now, in my custom Authenticator, I can access the data which I added into AuthNote in AuthenticationSession. Before the form loads, the authenticate(AuthenticationFlowContext context) method is called. In there, I can check if the authNote contains anything with my key - and if it does, I will validate the payload - if it’s valid, I can authenticate the user.

This was all in Keycloak 15.0

1 Like