Post-login redirect

Ok, bear with me. Because this might sound a little strange.


I got Keycloak as my authorization server and client A & client B. Client A uses Keycloak regularly as OIDC Provider in most cases. But, in a certain scenario I want the following to happen within an authorization code flow.
  1. Client A redirects user agent to Keycloak auth-endpoint to get authorization code.
  2. User isn’t logged in, so he has to perform form (or other) login
  3. Now before client A’s redirect uri is called with the code parameter, I want to:
    3.1 Redirect the user to client B
    3.2 Client B performs his own complete oidc flow, to login the user there
    Since the user should already be logged in in Keycloak, there shouldn’t be another login prompt
    3.3 User performs a single action in client B
    3.4 Is redirected back to Keycloak
  4. Keycloak creates the authorization code for client A
  5. Client A’s redirect_uri is finally called with the authorization code
  6. Initial authorization code flow is finished normally

What I looked at

The most crucial step is calling client B post user login. I looked at 2 options:
  1. Add a custom Authenticator to the end of the Browser flow & redirect via context.challenge(Response)
    The problem here is, that the redirect is part of the Browser flow. So, user login is actually not finished before the redirect.
    Little side note: If you move the whole default Browser flow in a sub-flow, browser login instantly crashes. Which doesn’t particularly help.
  2. I had a look at EventType.LOGIN in an EventListener. This way I can catch a login quite cleanly.
    The problem here is, that this seems completely decoupled from http communications. So, I got no idea how to trigger a redirect from here - if at all possible.


Can you advice me on how to achieve a post-login redirect in the given scenario?

Or is the whole scenario to convoluted to begin with and I should look for a different approach altogether?