Ok, bear with me. Because this might sound a little strange.
Scenario
I got Keycloak as my authorization server and client A & client B. Client A uses Keycloak regularly as OIDC Provider in most cases. But, in a certain scenario I want the following to happen within an authorization code flow.- Client A redirects user agent to Keycloak auth-endpoint to get authorization code.
- User isn’t logged in, so he has to perform form (or other) login
- Now before client A’s redirect uri is called with the code parameter, I want to:
3.1 Redirect the user to client B
3.2 Client B performs his own complete oidc flow, to login the user there
Since the user should already be logged in in Keycloak, there shouldn’t be another login prompt
3.3 User performs a single action in client B
3.4 Is redirected back to Keycloak - Keycloak creates the authorization code for client A
- Client A’s redirect_uri is finally called with the authorization code
- Initial authorization code flow is finished normally
What I looked at
The most crucial step is calling client B post user login. I looked at 2 options:- Add a custom Authenticator to the end of the Browser flow & redirect via context.challenge(Response)
The problem here is, that the redirect is part of the Browser flow. So, user login is actually not finished before the redirect.
Little side note: If you move the whole default Browser flow in a sub-flow, browser login instantly crashes. Which doesn’t particularly help. - I had a look at EventType.LOGIN in an EventListener. This way I can catch a login quite cleanly.
The problem here is, that this seems completely decoupled from http communications. So, I got no idea how to trigger a redirect from here - if at all possible.
Question
Can you advice me on how to achieve a post-login redirect in the given scenario?Or is the whole scenario to convoluted to begin with and I should look for a different approach altogether?