Keycloak uses Authentication Code Flow with Token Relay to achieve cross-domain SSO

Purpose: To demonstrate the implementation of OIDC Authorization Code Flow with Token Relay architecture to achieve cross-domain Single Sign On (SSO). Background: The company currently has an online insurance website, the URL is https://insurance.mycompany.com. It is planning a new gathering platform website, which will be developed and managed out of the committee, and the URL is https://rewards.outsource.com. Since the gathering platform website is outsourced, the domain name is different from online insurance, and it is impossible to use cookies to achieve SSO, so it is planned to use OIDC Authorization Code Flow + Token Relay architecture to achieve SSO. Brief Description of the solution: Let both websites use Keycloak As a shared identity source (IdP), the process is as follows: Authorization Code Flow: User visits any website (such as the Jidian website). This website detects that the user is not logged in, and guides the Keycloak login page. Keycloak detects that it has been logged in (because another website has been logged in and has a session), and jumps back to redirect_uri. The website uses code to exchange for access token/ID token. Why can this solution implement cross-domain SSO: Because all websites use Keycloak to log in, after logging in, the token is stored in the Keycloak website cookie. When the website uses Authorization Code Flow to convert to Keycloak, Keycloak can judge the user's login status. If you have logged in, Authentication will be generated. Code