Hi,
I have successfully implemented keycloak authentication across different products, now there is one question I’d like to ask related to a very specific scenario.
We have a Web client - multiple server setup (with proprietary protocol over websockets to server, so not REST!) where the web client is redirected to KeyCloak, logs in, and sends the code to the server, which will continue the message flow and obtains the access_token, id_token, etc. and eventually the user data. All works well.
Now, we have a second server, and we don’t want to repeat the KeyCloak authentication part, so we simply send it the same code we received first and rely on that second server to perform the same steps and hopefully get back the same session and same user data (whether the actual id_token and access_token is the same or not, it doesn’t matter).
My question is if this scenario will work, or will KeyCloak detect at the second attempt, that the code it returned, has already been used, and will demand a repeated login?
Many thanks
Hello,
No, that won’t work:
By specification, the code is a one-time thing and invalidated.
1 Like
Thank you very much. Then I mist think of am alternative solution