A customer has come to us with a flow that does not fit into the usual mould, and I’m not sure how to securely achieve the desired result.
- Users browser requests access to our system (outside our control).
- Customers API posts XML to our API server (can be trusted).
- Our API server creates a new user in keycloak (no issue here)
- Our API needs to return XML with a url to redirect the user to (no issue here).
- Users browser is redirected to the url. (outside my control)
At this point I need the user to be logged into our angular frontend, without displaying the keycloak login page.
I’m a little bit stumped on how to approach this, any advise on how to achieve this would be appreciated.