I have implemented access-token-authenticator SPI for browser flow within keycloak server. This authenticator SPI will challenge user to provide access_token to login. Intended use-case,
- Two applications APP1 and APP2 interact with each other.
- APP1 uses keycloak, however APP2 uses its own authentication.
- Users of APP2 are created in APP1’s keycloak instance with system generated default password, not shared with anyone (intention is never to let that user login to APP1 directly).
- APP2 uses an iframe to launch web page of APP1 for a user.
- Keycloak access-token-authenticator SPI challenges that request with new login form that accepts access_token.
- APP2 gets an access_token from APP1’s keycloak instance (APP2 is registered as a client and can impersonate users).
- APP2 sets that access-token into the form and submits.
- access-token-authenticator SPI will validate token and create usermodel for that token on success granting access to the requested resource in APP1.
This flow works fine, however I needed to make a change in realm security defenses,
- X-Frame-Options was set to blank.
- Content-Security-Policy, removed frame-ancestors ‘self’.
I was wondering if this was a safe implementation to remove those response headers? If not, Is there any way to limit these response headers just for this custom access-token-authenticator SPI?
NOTE: Tried by adding those response headers in the challenge response object, however they were overwritten by realm settings when present.