At work, I have to implement a dirty way to login because of a Sales Team error So there is no way that I could change how to log in except explain here.
We have to build multiple applications all connected together through Keycloak OpenID connect. The applications are built using Symfony 6.1 and PHP 8.1 and we are not using Single Page Architecture. So we plan to use OpenID to connect to Keycloak (We already have another application connected to Keycloak using this). We are using EC2 servers.
Example of URL:
Keycloak URL: https:// keycloak.aws.cloud
Local App: http:// myapp.localhost
Actual value of Security Content Policy on Keycloak admin: frame-src ‘self’ http:// mayapp.localhost localhost; frame-ancestors ‘self’ http:// mayapp.localhost localhost; object-src ‘none’;
The client does not want to be redirected to the Keycloak side. He would like the fields to appear on the login page of each application. So we try to make the login system work within an Iframe.
After a lot of research, I finally find a way to display correctly the form using Realm Settings > Security Defense > Content-Security-Policy. But now, when I log in as my user successfully, I’ve got the error message: Cookie not found. Please make sure cookies are enabled in your browser.
I did a lot of research but was unable to solve the problem. I tried to look at CORS and set Allow Origin. I try to test using Keycloak.js (but seems to be built for SPA)
Is there a way to achieve that?
If yes, could you please guide me a little (as I’m a noob on server config) and by telling me which configuration on which side I should update.