Hello,
I am backend developer that is new to authentication. We would like to add an authentication to our web applications and we were thinking of using KeyCloak as our authentication layer.
We are required to support Open Id Connect and SAML, which KeyCloak supposed to support (a client can be created for each type).
In addition, we were thinking of using the KeyCloak login page (with our theme) to avoid unnecessary effort of handling the login ourselves.
I have read about Open Id Connect with KeyCloak login page and understood that if the client is set to “Authentication flow = Standard flow” then after a successful login, a redirect will be made to the URL specified in the query string field “redirect_uri” (if it is configured in “Valid redirect URIs” and “Web origins”).
In addition, the redirected page should get from KeyCloak the Authorization code(grant), using which we can ask for an access token from the endpoint “/realms/{realm-name}/protocol/openid-connect/token”.
I have some questions about this part:
1) I understand that the authorization code can be read from the query string field “code=”. Is there another way to get it? (seems like sensitive info to pass in the URL).
2) In order to request the access token is it enough to send the authorization code to the access token request endpoint? Or do I need to specify additional info like some sort of a secret? If yes, from where can I obtain the secret?
a. In that case, our frontend can pass the authorization code to the backend and the backend will request the access token using both the authorization code and the secret.
Let’s assume the backend retrieved a valid access token from Keycloak. We were thinking of creating a session from the access token and to pass to the frontend a cookie (with the flags HttpOnly and Secure) that will contain only the session id.
** We read that passing the access token to the frontend might be considered as a vulnerability, though we are not really sure why the session id is less “powerful” than an access token.
Now we want to understand if the flow with SAML client will be similar? We could not find enough information about it.
I would appreciate if someone could explain how to work with the SAML client with a KeyCloak login page to get an access token. Links to relevant documentation would be appreciated as well.
Thanks a lot,
Michael