[keycloak-user] Is it possible to combine oidc login with tomcat adapter?

Federico Navarro Polo - Info.nl federico at info.nl
Wed Mar 22 12:41:58 EDT 2017 

Hello,

We’re facing a kind of special scenario with our current setup, in which we have Keycloak as identity provider for both a website and a native mobile app.

For the website part, we use the Tomcat adapter and the Keycloak built-in login screen, and it works fine.

For the native app, we’ve been using oidc and the /token and /userinfo endpoints for logging in and retrieving user data, and that also has been working fine so far.

Now, the situation is that we would like to allow opening certain pages from the website within a webview in the app, and these wesite pages should reflect the user information correctly. Is it possible to make the Tomcat adapter aware of the session opened via oidc? The first idea was to get the access token from /token and then pass that somehow to the request in a way that the Tomcat adapter will use it.

I attempted to do so by using the QueryParamterTokenRequestAuthenticator provided by the Tomcat adapter, which recognizes an access_token query parameter, and I can see that the user is properly authenticated while debugging. However, after a redirect, we do not seem to have the KeycloakPrincipal nor the KeycloakContext in the request anymore, as opposed to what it happens when logging in through the Keycloak built-in login screen. I’m guessing that the difference is that the regular OAuthRequestAuthenticator saves data into the AdapterTokenStore, while the BearerAuthentication (from which inherits the QueryParamterTokenRequestAuthenticator) does not.

Is there any alternative to make this work without making the user login multiple times?

Thanks in advance!

Met vriendelijke groet,

Federico Navarro

backend developer

federico at info.nl<mailto:federico at info.nl>  |  LinkedIn<http://www.linkedin.com/in/jasperleferink>  |  +31 (0)2 05 30 91 61<tel:+31205309161>

info.nl<http://www.info.nl/>

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>

More information about the keycloak-user mailing list