0

I am creating an application in Angular that uses Kecloak for login and authorization. Both logged in and unlogged users (anonymous) will have access to one of the application parts. Activities in this part of the application will be sent to the rest service and registered (based on the bearer token), so that each user will have access to the history of their activities. In the case of an unlogged user, until the end of the session, the user also sees the history of his activities.

I thought that if the user is not logged in, the same user will be logged in in the background (the same user for all anonymous users), e.g. anonymous, and his actions will be saved along with the keycloak token (session_state). Each unlogged user will have a different token

Is this a good approach in this case, or is there a better one?

Improve this question

2 Answers 2

Reset to default
1

I think your best choice here, and easier to implement, is not to log in anonymous users at all. What you want to do is somehow against the workflow of the OAuth methods.

If you want to keep track of not logged users your best choice is to do it using a browser cookie with the SESSION ID, many server side frameworks do it by default. Then, for saving the activities you can have both fields, one belonging to the user name (nullable) and the other for the SESSION ID.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Thank you for your response. I did partly as you write. The logged in user is recognized by the user name or id user retrived from bearer token. However for non-logged users I did a backend rest service that returns acces_token and sets the httpOnly cookie for itself with the value of reresh_token. When angular asks for session of an unlogged user, the service responds with a token based on refesh_token from a cookie, or creates a new session and sets a cookie with refresh_token. In my opinion, this solution has some advantages:

  • I can easily control the access of anonymous users to the application (check the quantity, block access)
  • there is no direct access to my API (everybody has to get the token from backend service before)
  • the cookie is secured so that I can't read it from javascript from the frontend
  • there is a consistent solution for both logged in and non-logged users - I always use the keycloak token to recognize users - in the case of logged in users it is userName and in the case of non-logged - session_state.

The disadvantages I have found is that I don't know how keycloak deals with the fact that many users log in to the same user at once - I will do loadtests, but from what I read it should not be a problem.

Improve this answer

1 Comment

Disadvantages: More stress for the keycloak server, a more complex request flow which needs to be documented for the future, more network traffic required comparing to accessing your API directly... If anyone wants to access your API, it's going to do it anyway if you give him the user and password for that "generic" user in the frontend. For the first point of ending web sessions, you can do it in your web server too. Think about it twice ;-)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.