I’m running into a problem and am not sure if there is a solution.
The current problem:
Website 1 (no-sso)
Website 2 (openid, managed by keycloak instance)
What I’m trying to do:
User access website 1 then is authenticated and authorized to website 2 using the browser flow and pass thru without seeing a keycloak login page.
It should be seamless (no keycloak login pages of any kind)
I’m able to generate an access_token using the rest api, but when I redirect to website 2 I get kicked back to the keycloak login page.
From the keycloak logs it looks at first the login is successful but after the webapp redirects then I’m presented with the keycloak login screen.
Is there an alternative browser flow that would allow me to do this?
Yes I understand that password grants are an anti-pattern.
Is it getting kicked back because the access_token expires and you have no refresh?
You can generate a JWT token for website 1 using the direct grant flow. But this won’t generate the cookie used by Keycloak to detect authenticated browser sessions.
This is important because website2 need a way to check if the user is authenticated. This is done redirecting the user to the browser flow and saving the resulting token.
So, I don’t see a simple way to let you do that other than sharing sessions between website1 and website2. A cookie, maybe?
You can even save the JWT token inside the (hopefully encrypted cookie).
I think it’s worth a try… not sure if it will work.
Once rolled out, website 2 won’t be a site that I can control in any way. From the logs it looks like the first requests works, but because the authorization header doesn’t set a cookie the browser is redirected to keycloak login page.
This is what I’ve been asked to do, and am not even sure if it’s possible: