Reputation: 351
Handling users not logged in in Angular application using Keycloak
I am creating an application in Angular that uses Kecloak for login and authorization. Both logged in and unlogged users (anonymous) will have access to one of the application parts. Activities in this part of the application will be sent to the rest service and registered (based on the bearer token), so that each user will have access to the history of their activities. In the case of an unlogged user, until the end of the session, the user also sees the history of his activities.
I thought that if the user is not logged in, the same user will be logged in in the background (the same user for all anonymous users), e.g. anonymous, and his actions will be saved along with the keycloak token (session_state). Each unlogged user will have a different token
Is this a good approach in this case, or is there a better one?
Upvotes: 0
Views: 908
Answers (2)
Reputation: 351
Thank you for your response. I did partly as you write. The logged in user is recognized by the user name or id user retrived from bearer token. However for non-logged users I did a backend rest service that returns acces_token and sets the httpOnly cookie for itself with the value of reresh_token. When angular asks for session of an unlogged user, the service responds with a token based on refesh_token from a cookie, or creates a new session and sets a cookie with refresh_token. In my opinion, this solution has some advantages:
- I can easily control the access of anonymous users to the application (check the quantity, block access)
- there is no direct access to my API (everybody has to get the token from backend service before)
- the cookie is secured so that I can't read it from javascript from the frontend
- there is a consistent solution for both logged in and non-logged users - I always use the keycloak token to recognize users - in the case of logged in users it is userName and in the case of non-logged - session_state.
The disadvantages I have found is that I don't know how keycloak deals with the fact that many users log in to the same user at once - I will do loadtests, but from what I read it should not be a problem.
Upvotes: 0
Reputation: 31651
I think your best choice here, and easier to implement, is not to log in anonymous users at all. What you want to do is somehow against the workflow of the OAuth methods.
If you want to keep track of not logged users your best choice is to do it using a browser cookie with the SESSION ID, many server side frameworks do it by default. Then, for saving the activities you can have both fields, one belonging to the user name (nullable) and the other for the SESSION ID.
Upvotes: 1
Related Questions
- Keycloak authorization in Angular
- How to logout from Angular app once Keycloak session is terminated using keycloak-angular
- Keycloak: show custom page after log out in angular application
- Keycloak with Angular logins automatically
- How to keep session active while using keycloak in Angular 7?
- Keycloak - how to disable sharing session between two (Angular) client apps?
- Angular 5 + Keycloak allow anonymous users
- How to connect and configure angular app to get authenticated by Keycloak
- Angular Keycloak login (silent)
- keycloak, angular: Authorization on demand