Single Sign On problem with KeyCloak (OpenID Connect)

1
votes

We have

  • KeyCloak (OpenID Connect)
  • 1x Rich client (with keycloak java adapter)
  • 1x WebClient SPA (with keycloak javascript adapter)

Both applications are public and in the same realm, but have different Client IDs. Ве would like to implement SSO (Single Sign On) consider the following scenario: The user make login with user/password in rich client and the rich client receives JWT (AccessToken, IdToken adn RefreshToken). Now user from rich calls webclient (with a deep link) and it opens a web browser. Because the webclient does not have yet access token it redirect users to keycloak (OpenID Connect/OAuth 2.0) login page.

What would be the correct way to implement SSO so that webclient is authenticated automatically with the credentionals from the rich cleint?

We do not have Username/Password after login any more, only the Tokens.

1
oauth-2.0single-sign-onopenid-connectkeycloak

1 Answers

0
votes

I don't see the problem here. When user from rich calls webclient, and it opens web browser, webclient redirects to keycloak, but the user is already logged in. User does not have to type username and password again. Keycloak redirects to your SPA and you get your tokens.