I was wondering if there is any possibility to let this authentication flow happen in the background (possibly in an iframe), so the SPA doesn’t need to be loaded twice. I am aware of the
check-sso option in the onLoad parameter of the adapter’s init method, but that doesn’t enforce authentication. Using
login-required does, but requires the complete redirect flow as mentioned earlier.
You can configure a silent
check-ssooption. With this feature enabled, your browser won’t do a full redirect to the Keycloak server and back to your application, but this action will be performed in a hidden iframe, so your application resources only need to be loaded and parsed once by the browser when the app is initialized and not again after the redirect back from Keycloak to your app. This is particularly useful in case of SPAs (Single Page Applications).
login-requiredwill authenticate the client if the user is logged-in to Keycloak or display the login page if not.
check-ssowill only authenticate the client if the user is already logged-in, if the user is not logged-in the browser will be redirected back to the application and remain unauthenticated.
So I am looking for something like a silent
login-required option. If it turns out the user isn’t authenticated in the IDP yet (the other 10% of the cases), it’s ok to redirect towards the IDP and reload the SPA afterwards.