I’m currently faced with implementing the following scenario in Keycloak, but I have no idea how to go about it, using some custom SPI’s.
Basically, the intended scenario is as follows:
- a service contacts keycloak to generate a one-time-token, starting from a user email address. So this token should be linked in some way or another to that user in keycloak, based on the email address. This token should also be e.g. only usable for 1 minute after creation. Also: the service requesting the token for the user will use client-auth, based on a client-id and client-secret.
- the token should be returned to the requesting service in the form of a URL.
- this URL with token will be sent to the user for who the token-url was requested.
- the user clicks the url within 1 minute of creating the token. The URL points to keycloak. Keycloak checks the presented token, and if OK, forwards the user to a backend application without the user still having to authenticate, so the user ends up in a backend application, fully authenticated.
Anyone any ideas or pointers on how to tackle a scenario like this in keycloak?
Obviously I’m only asking here for the Keycloak part of this scenario. Shouldn’t bother about the implementation of the service that will request the token.