I want to implement the OAuth 2.0 authorization code flow for confidential clients.
Below is the list of parties involved :
- User : End user person.
- Client : Third Party Application acting as confidential client.
- Keycloak : Authrization server.
- Resource server : Spring Boot application whose end points needs to be be secured with access token.
- Separately running “Authetication Service” with login page for user authetication. This authetication service has login page and user credential database with which it can autheticate the end user.
I have Keycloak as authrorization sever where all client registers to get the client_id and client secret.
Below is the required flow :
Step 1. Whenver any Authrorization request comes to keycloak authroization server with client_id,
response_type, redirect_uri(of client app), Keycloak should redirect the flow to separately running “Authetication Service” login page instead of its own keycloak login page because user database & authetication is maintained by separately authentication service.
Step 2. Once user enters its username and password, then this authetication service will autheticate the user and if its successful then it should redirect flow back to keycloak with success message.
Step 3. On receiving success message from Authetication service , Further Keycloak will handle everything like returning auth code, token etc.
So, In nutshell, How to configure this Separately running Authetication service as an external user authentication service with login page while still keeping Keycloak in control of the authorization flow (including the /authorize
, /token
, and all other endpoints with keycloak)?
It will be create if someone can share any example with codebase.