[keycloak-user] Mobile Game Authentication Flow

[Mat Pataki]

Hello!

I'm a developer at a mobile gaming company, and I'm trying to better
understand how/if KeyCloak fits within the paradigm that we have, and that
I believe also to be pretty typical in this space. At the moment I am
specifically interested in User Registration and Authentication. I should
say that I've spent a larger amount of time with the documentation before
turning here, so hopefully I'm not missing something completely obvious
(although I can't really rule that out!).

Third party identity providers such as facebook and google provide mobile
SDKs that are capable of completing the OAuth2 flow with their respective
identity platforms. In the end, our consuming mobile apps receive an access
token if all goes well. We send this token to our current custom backend
authentication solution which will validate them, obtain an ID from the
identity provider, and link that ID to our own internal ID for the user.
It's this backend component that I would like to replace with KeyCloak.

For reference, I see very similar code to this in the KeyCloak source, here
<https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/social/facebook/FacebookIdentityProvider.java>,
which is encouraging!

The problem however, is that KC's social login flow, and seemingly the
custom SPI flows as well, all begin with the web based registration page.
For our use case, we would like to avoid directing our users away from our
app during this process, and in fact avoid performing the OAuth2 flow
between us and facebook, for example, entirely. This is something we have
today via these client SDKs.

Down the line we plan to use KeyCloak for it's more traditional use cases,
including securing our own micro serves and applications, but that's
assuming that we can solve this problem.

Any advice would be greatly appreciated! Thanks in advance!

Mat