Can I set KEYCLOAK_IDENTITY cookie by myself

I use KeyCloak with OpenID Connect.

I have an application on the same domain that KeyCloak. This application has a endpoint that takes an authorization code as param, and sets the ‘KEYCLOAK_IDENTITY’ cookie in the response to enable SSO.

It works, but is it sure to do that?

Why I want to do that:

I need to set up a SSO between an external website (with it’s own auhentication provider, let’s call it ‘Site A’) and a world of applications handled by Keycloak (let’s call one of them ‘Site K’).

As an authenticated user of Site A, if I want to navigate to site K without logging in (i.e. ussing SSO), I need to be logged in on KeyCloak (authorization code flow will do its job).

But, in order to be logged in on KeyCloak, I need to :

  1. Get an authorization code
  2. Exchange this code for a token which will be added to KeyCloak domain’s cookie (KEYCLOAK_IDENTITY)

The 1. is tricky with OIDC but it’s possible.

The 2. is not possible with OIDC: there is no endpoint in KeyCloak which can take an authorization code and set a cookie without returning the token in the body.

So, my solution is to add a gateway, on the same domain that KeyCloak, that will get a Token from KeyCloak and add it to KEYCLOAK_IDENTITY cookie… It’s tricky but it does work. My question is: is it ‘dangerous’?

1 Like