Can I skip login page using access_token + direct access grants with the browser flow?

[dane pane]

Sorry for the cross post, posted this pretty much everywhere.. getting desperate. 

I’m running into a problem and am not sure if there is a solution.

The current problem:
Website 1 (no-sso)
Website 2 (openid, managed by keycloak instance)

What I’m trying to do:
User access website 1 then is authenticated and authorized to website 2 using the browser flow and pass thru without seeing a keycloak login page.

It should be seamless (no keycloak login pages of any kind)

I’m able to generate an access_token using the rest api, but when I redirect to website 2 I get kicked back to the keycloak login page.

From the keycloak logs it looks at first the login is successful but after the webapp redirects then I’m presented with the keycloak login screen.

Is there an alternative browser flow that would allow me to do this?

Yes I understand that password grants are an anti-pattern.

[Stian Thorgersen]

Don't really understand what you're trying to do, but sounds like you're using password grant and somehow expecting that to create an SSO session. That won't work, period.

Both websites has to be integrated properly with Keycloak using the browser flow if you want to achieve an SSO experience.

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/4edc846d-8585-40b7-b807-b5b3851a61ecn%40googlegroups.com.

[Alec Henninger]

If website 1 cannot be modified to integrate using SAML or OIDC, perhaps a proxy can be put in front that can? I've had success with https://github.com/latchset/mod_auth_mellon in the past.

[dane pane]

Thanks for the reply, taking a look! 

[dane pane]

This is what I'm trying to do (not my idea.. work project). Essentially they want website 1 (no sso of any kind) to generate a sso session for website 2 (managed by keycloak).  I'm able to generate an access_token but that doesn't seem to work for the browser flow. As far as I understand the accesss_token can be used to hit a restful endpoint but that's about it.

In the past, if I had both sites managed by keycloak no issue whatsoever.