Link with a Token


I’m displaying a web app inside of a desktop app. Is there a way for me to pass an access and/or refresh token to the web app via a link? I’d like to start the desktop app, open up an embedded browser, route to Keycloak, and return to the web app after the token is verified.


You can setup a web server in your app and redirect users back to it.

something like: http://localhost:9090/callback and just get the code from the request.

Thanks for replying. What would /callback do? Set something and then redirect back to the app? I have a URL for the app, an access token, and a refresh token on the desktop side.

If you can point users to keycloak via embedded browser, you can redirect back to your webapp. The problem is the URL, it must be a valid URL for keycloak to accept it.

So, is you webpp accessible via a valid URL? If not, you need a way to receive the redirection by keycloak, get the token and pass it to the web app.

Do your desktop app and webapp communicate in any way? Can you set a variable in the webapp from the desktop app? If so, you get the token via desktop app and set it as a variable in the webapp.

You can also use direct grant if necessary. This is not fully protocol compliant, but its a valid solution.

What would setting the variable look like? Is it a cookie, localStorage, URL QUERY_STRING, form parameter, etc. The webapp is using keycloak-js 15.0.2.

Can you do something like

And have the Keycloak set everything and redirect to the app?


I believe you should take a deeper look into how OIDC works. I found this page, seems nice An Illustrated Guide to OAuth and OpenID Connect | Okta Developer

1 Like

That’s a great resource, but I don’t see my answer there. I’ve been using KC for about a year have read up on the specs and Okta articles. My deployments are working fine in the normal flows (OAuth 2.0, external IdP)

I’ve seen what I’m looking for referred to as a “magic link”. I’m hazy on what such a link would look like. Where I’m having difficulty is in starting the fresh browser and seeding the redirects with an access or refresh token.

Thanks again,

I reread your first post, figured I’m not sure what you are trying to achieve.

You have a desktop app, which runs an embedded web app.

You need to login users both in the embedded web app and the desktop app against a user database, using keycloak as an OIDC provider.

Do the desktop app need the to authenticate the user too? Or just the webapp?

If it’s just the webapp, you can do the authentication flow inside the webapp.

If it’s both, you have two options:

  1. Can the desktop app and the webapp exchange information?

If positive, you can do the authentication (and obtain an access token) in either the desktop or the webapp and later exchange the access token via the means available.

  1. There is no way for the desktop app to pass information to the webapp or vice versa

I can’t see any other option apart from doing the authentication flow twice with users entering credentials twice.

It’s option 1 possible? Can you think of any way to pass information between the apps?

I control both ends and can pass along anything when starting the webapp.

In my deployments today, the desktop successfully uses the Java adapter KeycloakInstalled. The webapp successfully uses the Javascript adapter keycloak-js. Users can log in to Keycloak or any other IdP that’s been configured.

When the same browser is used for the desktop login and the webapp, the usual redirect mechanisms work. For instance, when I log on with the desktop app, a browser interfaces with Keycloak. If I go over to the webapp, the localStorage items are recognized and I don’t need to re-login.

The challenge for me today is to use a wholly fresh browser.

I think my solution will involve crafting a URL so that I bring up this empty browser with a URL that sets all the Keycloak variables and then redirects to the webapp.

Can I put something like this in the browser and have keycloak-js set everything up correctly?


Got it.

What you need is to either not use keycloak.js and just use the access token obtained from the desktop app when calling your API (and dealing yourself with token expiry, etc on the webapp).

Or you can create a custom adapter for keycloak.js where the login function is actually some javascript to set the access token obtained from the desktop. Other adapter functions can be left as default.

In both cases, I don’t believe passing the access_token from desktop to webapp via URL is a good ideia (as the access token is just a sort of “over complex user password”). If both desktop and webapp share a backend API, you can build an endpoint to securely share that information.

1 Like


It sounds like I’ll need something custom. I was hoping there was something off-the-shelf for this but I have all kinds of sessions and tokens that I can use to set up my SPA.