Assistance with SSO and Token Authentication Between Keycloak, Yamcs, and OpenMCT
Tsai Hsuan Hsieh
Hi Yamcs Team,
We have a follow-up question regarding SSO integration.
We're currently implementing LDAP and SSO, where "SSO" means that after logging in through Keycloak, a user should be able to access both Yamcs and OpenMCT without logging in again.
However, we encountered an issue: users can only access OpenMCT successfully after logging into Yamcs first. It seems that Yamcs login generates and provides the necessary access_token and refresh_token, which are required for OpenMCT to authenticate the session.
To work around this, we tried generating the Yamcs id_token through Keycloak and providing it to OpenMCT for authentication (as a third-party integration). However, this token only returns a raw JWT and does not include user information such as name, roles, etc. As a result, OpenMCT login fails with a 401 Unauthorized error.
Could you help us understand what might be going wrong? Specifically:
Is there a recommended way to pass the Keycloak authentication to Yamcs so that OpenMCT can also recognize the session?
Why does the
id_tokenfrom Keycloak lack user details in this context?Is it possible to authenticate OpenMCT directly via Keycloak, without relying on Yamcs login to establish the session first?
Any guidance or best practices would be greatly appreciated.
Best regards,
Stasy