Need to share some context and setup before asking my question, so please excuse the wall of text. =) My app: `frontend` is a SPA served as a static resource from NGINX (http://frontend) `keycloak` server running on http://keycloak `middleware` is a NodeJS app that frontend communicates with as API endpoint (eg: http://middleware). Middleware is using keycloak-nodejs-connect (https://github.com/keycloak/keycloak-nodejs-connect) to protect the API endpoint setup code in middleware looks like this: ``` const session = require('express-session') const memoryStore = new session.MemoryStore() app.use(session({ secret: 'mySecret', resave: false, saveUninitialized: true, store: memoryStore })) const keycloak = require('./auth/keycloak') app.use(keycloak.middleware({ logout: '/logout' })) ``` The setup in auth/keycloak.js is: ``` const keycloakConfig = { 'realm': 'realmName', 'auth-server-url': `http://keycloak/auth`, 'ssl-required': 'external', 'resource': 'clientName', 'credentials': { 'secret': 'aaaaaaaa-bbbb-cccc-dddd-1a49c9dfbbef' } } module.exports = new Keycloak({store: memoryStore, responseType: 'code'}, keycloakConfig) ``` when a user clicks "/login" link from frontend, the frontend spawns a new tab and the new tab calls http://middleware/login. The motivation is for the existing state in UI to not be touched, all redirects etc happen in a new window. The code in middleware looks like this: ``` app.get('/login', keycloak.protect(), (req, res) => { const keycloakTokens = JSON.parse(req.session['keycloak-token']) const userInfo = JSON.stringify(decodeToken(keycloakTokens)) res.status(200).send(`<html><head> <script type="text/javascript"> window.opener.postMessage(${userInfo}, 'http://frontend') window.close() </script> </head></html>`) }) const decodeToken = ({id_token}) => { const payload = JSON.parse(atob(id_token.split('.')[1])) return payload } ``` So the idea is that after the OIDC dance, the middleware will respond asking the new tab to postMessage to the opener (parent) with the contents of the id_token JWT. Assumption 1: the session in the cookie connect.sid is what the middleware uses to ensure the user is still authenticated. Is this assumption accurate? there is a event listener in frontend that watches for the `postMessage` and saves the information sent (id_token) to localStorage. Question 1: is this a correct way of doing login given the setup described above? I think i'm definitely missing something because another protected route in middleware causes redirect to keycloak again telling me that middleware does not know the frontend is authenticated. Question 2: how would logout work in this case? just clear the browser cookies? I tried the example app ( https://github.com/keycloak/keycloak-nodejs-connect/tree/master/example) but that has a different architecture, the browser points to the middleware domain. please let me know if you are looking for more code snippets or details. Happy to provide. Regards, Rudy.