.net - Keycloak and BFF - Stack Overflow

I'm trying to use the BFF (Backend for Frontend) pattern with my C#/Angular application and Keycloak (v. 26.0.7).

I have set up one Keycloak client for the C# backend:

...and another one for the Angular frontend:

Login Flow:

From the frontend (using my Angular Keycloak client), I am correctly redirected to the Keycloak login screen (using the keycloak-js library). After logging in, Keycloak calls my backend at the callback address https://backend/auth/callback, sending the authorization code. So far, so good.

Now, I want to initiate a token exchange by sending the authorization code to Keycloak and receiving all the tokens. For this, I use the backend Keycloak client. However, Keycloak indicates that it is not possible to use multiple clients for one session.

My Questions:

• What is the correct approach to achieve this?
• Is there a way to configure Keycloak to allow multiple clients in a single session, or am I misunderstanding the intended workflow?
• I believe I could send the authorization code to the frontend and have it forwarded to Keycloak via the backend, but wouldn't that defeat the purpose of the BFF pattern?

Thank you for any suggestions!

I'm trying to use the BFF (Backend for Frontend) pattern with my C#/Angular application and Keycloak (v. 26.0.7).

I have set up one Keycloak client for the C# backend:

...and another one for the Angular frontend:

Login Flow:

From the frontend (using my Angular Keycloak client), I am correctly redirected to the Keycloak login screen (using the keycloak-js library). After logging in, Keycloak calls my backend at the callback address https://backend/auth/callback, sending the authorization code. So far, so good.

Now, I want to initiate a token exchange by sending the authorization code to Keycloak and receiving all the tokens. For this, I use the backend Keycloak client. However, Keycloak indicates that it is not possible to use multiple clients for one session.

My Questions:

• What is the correct approach to achieve this?
• Is there a way to configure Keycloak to allow multiple clients in a single session, or am I misunderstanding the intended workflow?
• I believe I could send the authorization code to the frontend and have it forwarded to Keycloak via the backend, but wouldn't that defeat the purpose of the BFF pattern?

Thank you for any suggestions!

• .net
• angular
• security
• keycloak
• backend-for-frontend

Share Improve this question Follow asked Jan 2 at 13:32 Martin SlezákMartin Slezák 18122 silver badges1111 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

Maybe this answer will come to late, however I am currently on something similar.

When you want to utilize the BFF pattern. You are mostly on the right track. But you have to use the same client in keycloak for the frontend and backend and make it confidential and have the client secrets in the backend.

Making the client confidential does not mean it wont be reachable without the secrets. Only the token endpoints of the client for this example are not reachable without the clients secrets. (Resulting in a 401 without the secrets)

So the user still can authenticate itself against the client which then passes the authentication codes to your BFF which then exchanges them with the client secrets for tokens on the token endpoint.