Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can I set KEYCLOAK_IDENTITY cookie by myself

Tags:

oauth

openid-connect

oauth-2.0

single-sign-on

keycloak

I use KeyCloak with OpenID Connect.

I have an application on the same domain that KeyCloak. This application has a endpoint that takes an authorization code as param, and sets the 'KEYCLOAK_IDENTITY' cookie in the response to enable SSO.

It works, but is it secure to do that?

EDIT : My question is about the cookie. I explain the 'why' just to give some context.

EDIT 2: For people who want to use this solution, I'm really concerned about the keycloak community... No answer to my question, even with a bounty of 100.

Why I want to do that:

I need to set up a SSO between an external website (with it's own auhentication provider, let's call it 'Site A') and a world of applications handled by Keycloak (let's call one of them 'Site K').

As an authenticated user of Site A, if I want to navigate to site K without logging in (i.e. ussing SSO), I need to be logged in on KeyCloak (authorization code flow will do its job).

But, in order to be logged in on KeyCloak, I need to :

  1. Get an authorization code
  2. Exchange this code for a token which will be added to KeyCloak domain's cookie (KEYCLOAK_IDENTITY)

The 1. is tricky with OIDC but it's possible.

The 2. is not possible with OIDC: there is no endpoint in KeyCloak which can take an authorization code and set a cookie without returning the token in the body.

So, my solution is to add a gateway, on the same domain that KeyCloak, that will get a Token from KeyCloak and add it to KEYCLOAK_IDENTITY cookie... It's tricky but it does work. My question is: is it secure?

If it's not clear: feel free to ask questions!

like image 516
Nicolas Avatar asked Nov 07 '22 12:11

Nicolas

1 Answers

If it has its own identity database you should consider to integrate this DB to keycloak of site K via User Storage Provider implementation (USP). This way both of your sites will use single Keycloak server for authentication purposes.

There could be issue if identity DB from Site A has user accounts that duplicates in Keycloak of site B, if so your should think about merging (or for example prefer existing users from Keycloak - this is default behavior when user from Keycloak identity DB clashing with user pulled from User Storage Provider Implementation). Also you can create separate realm for USP and use multi-tenancy for your applications.

like image 78
solveMe Avatar answered Nov 12 '22 23:11

solveMe
Sign in to Comment

Related questions

how to use "Users" feature in Azure Mobile Service .NET backend
OAuth Bearer Access Token sliding expiration
OAuth2 authentication for CakePHP 3
Meteor Facebook Login Error Accounts.LoginCancelledError: No matching login attempt found
oauth 2: Javascript vs. PHP?
Google Developers Console - Oauth consent screen configuration doesn't save the input
Disable or restrict /o/applications (django rest framework, oauth2)
How to install a custom PHP extension on Travis (OAuth)
Unable to use Laravel / Socialite with Lumen
Does github (twitter, stripe & co) uses oauth for its own login?
What do I do with a spotify api authentication redirect uri in Django?
Google Directory user list from an app
Facebook login without Valid OAuth redirect URIs
Authorising cross site web app to access my RESTful API
ASP.NET MVC OAuth authentication with Jira?
Google Cloud PubSub: Previously valid subscription suddenly unauthorized
What if authorization code in Oauth is leaked
Laravel Passport invalid refresh token - token is not linked to client
Grafana openshift monitoring OAuth Proxy: The request is missing a required parameter
OAuth 1.0 Authentication for NetSuite

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!