Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

uderstanding the mechanism of Keycloak

Tags:

keycloak

I'm using keycloak, but I don't understand how the verification of authentication is made after the user authenticate in the app.
For example I have an app secured with keycloak, when a user try to access it, he/she will be redirected to authentication page, then (I guess, and correct me If I'm wrong) the user will have a token that need to be send with every request.

like image 824
aName Avatar asked Feb 07 '23 19:02

aName


1 Answers

On a complete system secured with Keycloak:

  1. A user clicks from a public page to navigate to a protected area within the application. The link to this protected area is in your application settings in keycloak admin console.

  2. The user will be redirected indeed to the Keycloak authentication page. After providing Username and password, Keycloak redirects the user back to your application again with a code that is valid to a very short period of time.

  3. The application communicates this code to Keycloak along with the Application ID and the Application secret, then Keycloak replies with the Access token, ID token, and a Refresh token. your Application will need only one of these tokens to see which claims the user has, and according to the claims, the user will be granted or denied access to protected URL(s)

like image 145
j0zeft Avatar answered Feb 09 '23 20:02

j0zeft