Way 1. PKCE
- I have read similar question about custom login,
Currently KC redirects to it’s own login page, but seem PKCE flow allows to create secure alternative for assembly of the custom login SPA into Freemarker template.
The schema considered:
- App GET Auth Request to KC with code_verifier/code_challenge
- KC redirects to external login service (external IDP that uses KC User federation?)
- external IDP in this approach - is just an SPA implementation that POST credentials to KC for getting AUTH code
- KC return Auth code to login SPA/server(looks like PKCE allows it to be an SPA/Mobile app)
- Login SPA redirects to App with Auth code
- App POSTs to KC with Auth code, code_verifier, client_id… to get ID token/refresh
… Backend flows using tokens
Way 2. Is there an API on KC that may be used by middleware server which will override KC PKCE flow implementation but connected to KC as trusted source( secure secret handler) which can pass to an APP just Auth code to get App connected and interact with KC directly later?
Pls correct me if any of those wrong