Hi! I have the following use case:
Keycloak instance up and running, working fine with openid-connect and my SPA.
Providing a form inside an iframe to third parties, which should use bearer token to post content to my service.
I do not want the third party websites to have a) access to user credentials b) the bearer token.
First naive approach:
1.) On third party website, load form inside iframe.
2.) Open pop-up with keycloak login, provide redirect_url to some first-party page.
3.) On successful login, close pop-up and return bearer token to the iframe (window.opener) on the third party website.
4.) Use bearer token to post to my service.
a) The process would not allow for token refreshs.
b) Are iframes secure enough to shield the bearer token from access by the parent, third party website?
c) Exposing a redirect target which returns a bearer token to the (any) window.opener seems crazy.
1.) What is the best-practice way to authenticate inside an iframe on a third-party website without exposing neither credentials nor tokens?
2.) Do i have some grave errors in my thought process?
Thank you for your input!