Bypass login page in keycloak using access token

Question

We have a requirement, where we need to bypass the login page and directly provide access to the user based on a token that has the email of the user.

We are using the email of the user and generating an access token for the user using admin credentials in Keycloak.

Even after getting an access token, we are not understanding how to start a session in Keycloak using the access token or refresh token or id token that we get.

We generated the access token with the help of steps provided in the below link: Keycloak: Generate access token for a user with keycloak-admin

Can anyone suggest how to proceed further on how to initiate a keycloak session

Answer 1

I would suggest using the action token spi. You can see an example in the quickstarts: action-token: Using Action Token to Incorporate External App Call into Authentication Flow.

The way you could use this feature:

1. Create a REST endpoint for generating a link that contains the one time use action token
2. Create an handler for the action token that sets a auth session note and redirects the user to the browser flow
3. Create an alternative authenticator that check for the auth session note set by the token handler

The action token should be one time use.

The user would be given the link generated by the REST endpoint from 1. and it should be able to login without any password.

In my opinion, this is way more secure than passing access tokens to the user.