Logging in a user from an external system

A customer has come to us with a flow that does not fit into the usual mould, and I’m not sure how to securely achieve the desired result.

  • Users browser requests access to our system (outside our control).
  • Customers API posts XML to our API server (can be trusted).
  • Our API server creates a new user in keycloak (no issue here)
  • Our API needs to return XML with a url to redirect the user to (no issue here).
  • Users browser is redirected to the url. (outside my control)

At this point I need the user to be logged into our angular frontend, without displaying the keycloak login page.

I’m a little bit stumped on how to approach this, any advise on how to achieve this would be appreciated.

The best way I can think of would be to use the Action Token SPI to create and return a url to the user that will automatically log the user in and redirect them to the right place within the application. This will redirect to keycloak to check the action token, and then redirect back to whatever url you specify. Assuming the action token is valid, the user will not be prompted to login.