how keycloak can authorize user in cross domain?

[B SH]

It seems confusing due to a lack of understanding of cookie cross-domain policies.

Let's assume that A and B are websites in same realm, and K is an keycloak auth server.

A,B,K have different domains.

Here's what I understand:

1. When a user connected to "A" attempts to log in, "A" pops up "K"'s login page.

2. After login to "K", a token is issued and it is stored somewhere in keyclock.

3. the "K" passes the token to "A" (, and "A" stores the token somewhere in "A"..?).

4. the "A" passes the token to user, and the token is stored in user's browser cookie.

5. When a user makes a request to "A", the token is passed along through an HTTP header or cookie.

6. “A” checks for authentication by passing a token to keycloak every time a request is made..?

or compare it to the token you are holding..?

Is this process correct?

The second thing that's confusing is what about when connecting from B?

1. You are logged in at "A" and have received a token (regardless of where it is stored exactly)

2. When you connect to "B", "B" will be logged in as it belongs to the same realm as "A". but how?

3. "B" passes the token received from the browser to “K”. (Can “B” forward a cookie containing token information stored in “A”?)

4. “K” verifies the token and informs B of the result, and B treats the user as logged in.

[Tony Harris]

The cookie belong to the Keycloak domain.  When user accesses a.com they are directed to keycloak.com to authenticate.  keycloak.com creates a cookie in keycloak.com identifying that the user has a valid session in keycloak and a.com can complete auth code flow to get the cookies.

When user accesses b.com they will be redirected to keycloak.com, keycloak gets the cookie from keycloak.com, identified that the user has a valid session and IF that session is for the same REALM in keycloak as for a.com they will be silently authenticated and allow b.com to complete authentication code flow.

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/6a63747d-4659-4b10-80ca-c7d8930ef104n%40googlegroups.com.

[B SH]

Thank you for reply.

So, is there always a process of checking authorization through keycloak.com every time I move to another page in A or B?

2023년 12월 11일 월요일 오후 6시 9분 5초 UTC+9에 Tony Harris님이 작성:

[David Cook]

It’s worth keeping in mind that authentication and authorization are different.

 

Authentication is the process of verifying that the user is truly the user they claim to be in Keycloak. Authorization is the process of verifying that the user has access to a resource.

 

OpenID Connect and SAML are both authentication protocols, although they both can send properties/attributes to the downstream app, which can be used for local authorization purposes. Or you can use Keycloak authorization services. While I haven’t used Keycloak authorization services, I think that if you use the UMA protocol, I think you do end up checking Keycloak for every page request.  

 

But it sounds like you want to check on the Keycloak session status for every page load in app A and app B? With Keycloak, you can use “OAuth 2.0 Token Introspection” to check on the status of the Keycloak session.

 

Happy to be corrected, but that’s my understanding.

 

David Cook

Senior Software Engineer

Prosentient Systems

Suite 7.03

6a Glen St

Milsons Point NSW 2061

Australia

 

Office: 02 9212 0899

Online: 02 8005 0595

 

From: 'se...@xdam.com' via Keycloak User <keyclo...@googlegroups.com>
Sent: Wednesday, December 13, 2023 12:27 AM
To: Keycloak User <keyclo...@googlegroups.com>
Subject: Re: [keycloak-user] how keycloak can authorize user in cross domain?

 

I believe that depends on how the apps on A and B are coded. Typically OAuth apps will create their own sessions once they've confirmed the initial authorization, and only go back to Keycloak when those sessions are expired or lost.

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/ec8db52b-6338-4d09-9e79-ac09ff7adbean%40googlegroups.com.