Authentication with external redirect

mrtnrrne · January 19, 2022, 8:59am

Hi,

I’m using Keycloak as an SSO provider, and have implemented a custom Authenticator for some custom authentication methods which work just fine.
However, I’m trying to add another authentication method which is via an external website (it works kind of like FB/Google social Identity Provider login; except it does not support OIDC) - it redirects you to an external page, you enter your credentials, and from there the user is redirected back to an endpoint in Keycloak with a payload that has the necessary user details.
For this redirect back from the external website, I have created a custom REST endpoint with RealmResourceProvider & RealmResourceProviderFactory. I am able to get the payload with user data, but in this endpoint (RealmResourceProvider), I am not able to authenticate the user in any way - there is no AuthenticationFlowContext. When the user is redirected back to Keycloak, a new KeycloakSession is also created so basically nothing about the initial request still exists for access…
So my question is basically if there is a way to create the AuthenticationFlowContext in a RealmResourceProvider? Or authenticate the user in any way in RealmResourceProvider? Or is there some other way to get a working auth flow going?

mrtnrrne · January 31, 2022, 1:06pm

Managed to get it working by saving the initial URL that the user lands on in a cookie (before they are redirected out of Keycloak) like so:

String url = context.getActionUrl("code1", true).toString();
        CookieHelper.addCookie("cookieName", url, "/", null, null, 300, true, true, ServerCookie.SameSiteAttributeValue.NONE);

Then, when redirecting back from external site into the RealmResourceProvider REST endpoint, I get the cookie

String redirectUrl = CookieHelper.getCookieValue("cookieName").iterator().next();

I split the querystring to a map (get auth_session_id, client_id and tab_id from ths querystring), and initialize a new SessionCodeChecks object and init a new AuthenticationSessionModel. Then I add the payload from external response to the authSession AuthNote

        SessionCodeChecks sessionCodeChecks = new SessionCodeChecks(realm, context.getUri(), httpRequest, context.getConnection(), session, event, queryParams.get("auth_session_id"), null, null, queryParams.get("client_id"),  queryParams.get("tab_id"), null);
AuthenticationSessionModel authSession = sessionCodeChecks.initialVerifyAuthSession();
        authSession.setAuthNote("authNoteKey", payload); //payload is basically a bunch of parameters serialized to a string

And finally, I redirect the client back to the initial login form (with same URL that I saved in cookie before)

        Response.ResponseBuilder builder = Response.seeOther(URI.create(redirectUrl));
        return builder.build();

Now, in my custom Authenticator, I can access the data which I added into AuthNote in AuthenticationSession. Before the form loads, the authenticate(AuthenticationFlowContext context) method is called. In there, I can check if the authNote contains anything with my key - and if it does, I will validate the payload - if it’s valid, I can authenticate the user.

This was all in Keycloak 15.0

Topic		Replies	Views
Validating access to applications for user authenticated on an external identity provider Getting advice identity-brokering , oidc	2	318	November 4, 2022
Calling external API from keycloak during login flow Getting advice authentication , identity-brokering	0	496	April 24, 2023
Help with understanding Keycloak as Identity Broker	9	2278	September 19, 2022
Keycloak Login and User Model with custom data from external REST API Getting advice authentication , user-federation , oidc	2	4001	April 28, 2022
Create a custom identity provider and configure it with keycloak Extending the server oidc	4	13227	September 27, 2021

Authentication with external redirect

Related Topics