I use KeyCloak with OpenID Connect.
I have an application on the same domain that KeyCloak. This application has a endpoint that takes an authorization code as param, and sets the ‘KEYCLOAK_IDENTITY’ cookie in the response to enable SSO.
It works, but is it sure to do that?
Why I want to do that:
I need to set up a SSO between an external website (with it’s own auhentication provider, let’s call it ‘Site A’) and a world of applications handled by Keycloak (let’s call one of them ‘Site K’).
As an authenticated user of Site A, if I want to navigate to site K without logging in (i.e. ussing SSO), I need to be logged in on KeyCloak (authorization code flow will do its job).
But, in order to be logged in on KeyCloak, I need to :
- Get an authorization code
- Exchange this code for a token which will be added to KeyCloak domain’s cookie (KEYCLOAK_IDENTITY)
The 1. is tricky with OIDC but it’s possible.
The 2. is not possible with OIDC: there is no endpoint in KeyCloak which can take an authorization code and set a cookie without returning the token in the body.
So, my solution is to add a gateway, on the same domain that KeyCloak, that will get a Token from KeyCloak and add it to KEYCLOAK_IDENTITY cookie… It’s tricky but it does work. My question is: is it ‘dangerous’?