Keycloak external login page for external IDP

Question

In our spring boot app, we are using keycloak and we configured multiple external IDP. Everything is working successfully on browser based. The login page that is provided by keycloak is showing direct grant option in addition to login with IDPs then if user clicks to login using IDP, he is redirected to IDP's login page then our keycloak receives the token.

What I want to change in that flow is that instead of showing user login page of keycloak I want to show him login page from my app(my FE) which is dealing with my BE api. My BE would dealing with KC. then If user select to login with IDP I want to get the redirect url from KC to pass it to my FE. Then after getting the token I want to redirect user to my FE immediately.

In other words I don't want users to access KC directly this should be throughout my BE

Answer 1

Your client applications should never have access to users credentials.

I'd consider things an other way arround (I make assumptions on your setup because you didn't give much details about it):

• provide Keycloak with a custom theme to match your client application(s) look & feel
• probably change your Spring backend configuration from client to resource-server . In OAuth2 wording, REST APIs are resource-server, not clients.
• probably switch from 302 (redirect to Spring's oauth2Login ) for unauthorized request to 401 (which is the standard HTTP status for unauthorized request)
• probably, in your SPA client(s), use one of certified OIDC client libs to handle authorization-code flow with PKCE, silent token refreshing before it expires, HTTP interceptor to insert access token, route guards with auto-login,... My favorite for Angular is angular-auth-oidc-client

If I'm right about your REST API being configured with spring-boot-starter-oauth2-client and if you don't know yet how to configure it with spring-boot-starter-oauth2-resource-server , you can refer to Spring official doc or to this tutorials i wrote.