Re-create cookies?

Hi there,

We have an web app, a learning management system - LMS. We use Keycloak to authenticate using OIDC and SAML. I realized if I get rid of my browser cookie for the LMS, and keep Keycloak cookies, I can launch my LMS and because it has the Keycloak token on the LMS’ database, the LMS can show the home page of the LMS without the need to re-authentication of Keycloak, it re-authenticate the user without the need of Keycloak Login page.

So far so good, but my end-goal is to be able to re-create Keycloak cookies, some how?

I mean, we are working on a mobile app, then my idea is after the user gets into our LMS home page (via direct login or coming back from a SAML), on a regular mobile browser, I want to be able to grab “some how” the sessions/token of than user and launched on another browser “webView on native mobile app - similar to open on entire new browser” I guess, having a URL where I can take the user to my LMS homepage using a entire different browser that won’t have the Keycloak or my LMS cookies/tokens.

Then, on my LMS system, I have on my database: idToken, refrewshToken, token. I wonder if using that data, I can have an URL to pass to Keycloak on a brand new browser, no cookies yet, and Keycloak will authenticate the tokens, geenrate the Keycloak cookies, then redirect to my LMS home page where the user would be authenticate?

Any advice?

You should first read up on how OIDC and SAML work. Both don’t need cookies. And you should not store tokens in a db, they should be passed from the frontned on each request to the backend.

for OIDC:

client app requests login
→ redirect to keycloak
→ user logins in into keyclaok (only here the keycloak cookies are used)
→ keycloak redirect to client with initial token
→ client uses initial token to get access/refresh tokens
→ these are kept locally in client
→ on each request to backend the accessToken is passed in the http header
→ backend evaluates token (either be calling back to keyclaok with the token or by decrypting the token itself) and grants/denies access

SAML uses a similar flow (but with xml docs instead of JSON web tokens(JWT))