I am trying to deploy keycloak (in front of a Haproxy server) as a login portal like that:
A user wants to use a service
He passes through a Haproxy
No authorization header
The haproxy redirect the user to the keycloak portal
Keycloak portal redirects the user to the right app, on the login page of this app (which do not use any of login capabilities of keycloak for the login)
Is it possible ? How do you handle multiple apps with the clients / realms ? Is there a generic login capability with a generic URL in order to specify the realm / client and just redirect it to the app if he identified himself ?
Yes, Keycloak does the authentication, but the user is redirected to the login screen of any app which use internal authentication, without use of the openid api for example.
When creating clients on Keycloak, you can provide any redirect uri that suits your need. Then when asking Keycloak to authenticate a user, then include the redirect uri as a parameter to the authentication request. Upon authentication, keycloak will redirect the user to the provided redirect uri.
I tried this way, but does keycloak uri needs the final application to handle the token ? Because it never works. Can you provide an example uri in order to authenticate a user ?
It’s not really clear from your message, but I think what you are asking for is a proxy that allows access to applications based on Keycloak’s authentication (and maybe some authorization - based on roles or somesuch). The underlying applications haven’t implemented any protection like an OIDC client, but it is the proxy that is making that decision.
I’ve used an OIDC proxy to solve such an issue. Some examples are: