Keycloak authenticator spi custom response headers

I have implemented access-token-authenticator SPI for browser flow within keycloak server. This authenticator SPI will challenge user to provide access_token to login. Intended use-case,

  • Two applications APP1 and APP2 interact with each other.
  • APP1 uses keycloak, however APP2 uses its own authentication.
  • Users of APP2 are created in APP1’s keycloak instance with system generated default password, not shared with anyone (intention is never to let that user login to APP1 directly).
  • APP2 uses an iframe to launch web page of APP1 for a user.
  • Keycloak access-token-authenticator SPI challenges that request with new login form that accepts access_token.
  • APP2 gets an access_token from APP1’s keycloak instance (APP2 is registered as a client and can impersonate users).
  • APP2 sets that access-token into the form and submits.
  • access-token-authenticator SPI will validate token and create usermodel for that token on success granting access to the requested resource in APP1.

This flow works fine, however I needed to make a change in realm security defenses,

  • X-Frame-Options was set to blank.
  • Content-Security-Policy, removed frame-ancestors ‘self’.

I was wondering if this was a safe implementation to remove those response headers? If not, Is there any way to limit these response headers just for this custom access-token-authenticator SPI?

NOTE: Tried by adding those response headers in the challenge response object, however they were overwritten by realm settings when present.