[keycloak-user] Problems using Keycloak for SSO

[Christoph Guse]

Hello all,

I'm quite new to Keycloak, identitymanagement, Oauth2 and OpenID connect 
and I think I haven't understood all mechanisms yet.

Currently I'm working on a proof of concept using Keycloak as Web-SSO 
service. In my poc I have

- a Wiki application connected to Keycloak using SAML
- a spring-boot application (csrf is disabled as the UI brings it's own 
csrf mechanism) using the community spring-boot adapter

In both applications the login works using Keycloak, both applications 
work, resources can be loaded and so on. SSO works, after logging in 
into the spring-boot application the Wiki application can be openend in 
another browser window without having to reauthenticate. So far, so good.

But in my poc I want to embed the spring-boot application into the Wiki 
application. Without authentication this works as the UI used in the 
spring-boot application uses a virtual DOM which can be created on a 
Wiki page.

Unfortunately this does not work with authentication using Keycloak. 
After the login in the Wiki the Javascript in the Wikipage is not able 
to load the JS from the spring-boot application for the virtual DOM 
(HTTP 401,  bearer token = "unknown").

I am wondering how Keycloak does the SSO as I was not able to see any 
parameter in the HTTP requests which are something like the Keycloak 
token ID. Can somebody explain - or give a hint where to find a detailed 
explanation - how the token handling is done so I can figure out if 
something is missing while accessing the spring-boot application?

Thank you in advance,
Christoph