Keycloak 3rd Party Client Implementation

edInObvious · August 19, 2022, 5:30pm

Hello All,

I’m very new to Keycloak (and SSO) so apologies if these are too much of newbie questions.

We have a frontend React app and a few Spring Boot apis. We set up the React app as a ‘public’ client and the apis as ‘bearer-only’. This was relatively easy to achieve with the JS and Spring Boot plugins though it did require a bunch of rewriting of our Spring Security configuration.

This is where I get confused, we’d like to integrate with a 3rd party website who is also using a JS framework for the UI and Spring/Spring Boot for the apis.

Since a full implementation like we did would be a very hard sell, could they add the JS plugin dependency but only initiate it on a specific landing page they provide for our users?. Is there a better way?

For the backend, they have their own user store and we have ours. When configuring KeycloakWebSecurityConfigurerAdapter, This does require Keycloak but it’s instance agnostic though the properties in application.yml ARE specific to an instance. This would cause any user that didn’t have a token that originated from our Keycloak instance to fail authentication. It’s seems they’d need to create a Keycloak proxy where our user’s requests would get channeled to, get authenticated, and do a back channel call to their main api.

Is there a better way? Can you configure two auth providers on 1 spring boot app? Am I missing something fundamental? Any advice or help would be very appreciated.

weltonrodrigo · August 19, 2022, 9:13pm

If I undestood correctly, you have two separate authentication servers that want to allow login from each other.

Think about that as you and google. You both have your user base, your authentication server and one (you) want to trust the other (google), so google users can login in your application using their google credentials.

This can be arranged in Keycloak using external identity providers.

In your Keycloak, you add their openid connect authorization server as an external identity provider and now their users can login into your application.

This will work only if the 3rd party has an openid connect server, if not, maybe the other way around will be easy, as spring security also support external OpenID Connect authorization servers.

Hope that helps.

edInObvious · August 19, 2022, 9:24pm

Thanks @weltonrodrigo!

That is helpful. Since we actually want to log into their system, they would need to use our auth server (keycloak) as an external identity provider.

Or would them adding us or we adding them work both ways?

Topic		Replies	Views
How do you use keycloak for providing authentication? Getting advice authentication	3	479	March 27, 2024
Securing Speing Boot RESTful API and React JS Getting advice	4	1221	May 21, 2020
Securing React app with Spring Boot backend Getting advice	6	6340	April 30, 2022
Basic Keycloak Auth System with React + NodeJS Securing applications authentication , identity-brokering , oidc	0	1300	February 19, 2021
Frontend public client and Backend confidential client authentication , oidc	16	11180	September 15, 2020

Keycloak 3rd Party Client Implementation

Related Topics