We are integrating Keycloak for our organization for some REST services, web and mobile apps (iOS and Android). From the iOS side for the now, we use AppAuth-iOS SDK which effectively allows some users to authenticate themself via a Webview (underlying by using a instance of SFSafariViewController class).
For the account management page, we want to display the account page (/account) via the SFSafariViewController (as preconised from the RFC) but when this page is displayed, the user have to authenticate again because the session cookies was lost in the previous authentication context.
To be note that we cannot get back the generated Keycloak cookies provided from the authentication context. because SFSafariViewController seems not propose this feature.
Have you had any experience or suggestion on both the mobile app and backend side?
Can you get the access token? Does SFSafariViewController allow you to set cookies? If so, you just need to set the access token to the KEYCLOAK_IDENTITY cookie for the account session.
Yes we do, but we cannot set the KEYCLOAK_IDENTITY cookie in the SFSafariViewController context. We shall test with WKWebView this afternoon, but the recommendation advises that we should avoid to do like that.
I don’t know if it would be a security problem to have it in a GET request, but if you can tell SFSafariViewController what URL you want to go to, you could give it something like https://<host>/auth/admin/realms/<realm>/<some_custom_rest_endpoint>?cookie=<access_token>, then you can implement a custom REST endpoint on the Keycloak side that responds with a redirect to the account console with a Set-Cookie header. Bit hacky, but it might work.
I developed a custom endpoint which use AuthenticationManager.createLoginCookie(session, realm, user, userSession, uriInfo, clientConnection); method fot creating of the KEYCLOAK_IDENTITY cookie. To be note that the /account page needs cookie containing a token typed Serialized-ID and not Bearer as I thought previously.