I have a following setup:
JS frontend => Node backend => Keycloak
Node backend exposes api and uses bearer-only keycloak client = node-api
JS frontend uses regular keycloak client = js-client
When page on the frontend requests a secure endpoint from backend (secured with keycloak.checkSso()), backend responds with 302 and a url to authenticate the client. Problem is, that url is created for
node-api, so it results in
Bearer-only applications are not allowed to initiate browser login.
What I would like to have:
if frontend page requests a secure endpoint and user is not logged in, api should respond with 302 and keycloak js adapter should then handle this by creating a proper login URL relevant for
js-client, login the user and then refresh the page, getting access to secure endpoint.
I know there is a way to check in js-adapter if keycloak user is authenticated and then redirect, but it would be much more flexible to handle in API which of the endpoints require user authentication. This would also cover the case when different endpoints are accessible by users with different roles.
Any ideas or tips?