My goal is to have several web services (which reside at
sub1.domain.com,
sub2.domain.com, etc.) all redirect users to
auth.domain.com
for login. When a user is logged in and visits one of the web services,
the web service should be able to get the user's identity from a claim
signed by the authentication service (keycloak). The only way I know of
to do this is to pass a claim in a cookie.
Ideally,
the web service should be able to verify the identity claim without
needing to emit an HTTP request to the auth service (by verifying the
signature against the realm's public key).
Is keycloak the right choice for this? and if not, do you have any recommendations?