I have a keycloak set up with several clients and wanna establish Single Sign-on functionality. I have created different roles and mapped those roles to related Groups. The users are assigned to each group according to admin’s preference.
Then I have created a customized browser flow for each client which checks the user role for authentication. in that flow I have added a customized cookie check and if it passes, then the user role is checked.
Let’s assume there’s a user called userA and a member of GroupA and GroupB. GroupA has roleA and GroupB has roleB. flowA is bound to roleA and flowB is bound to roleB. Long story short, userA should have access to both appA and appB.
If userA login to app1 successfully, then I try to open app2, I should be able to open the appB without logging in(because the cookie is set to browser by appA) BUT instead I’m receiving the access denied error message:
P.S.: I once disabled the user role check in the top branch of the flow and the cookie itself worked fine and let me in from appB but after enabling role check again, I faced the problem again. Here you can find a full configuration of appA browser flow:
