One protected resource with an embedded protected resource from another RP

[xiscojb]

Hello,

I have one realm with two clients. One is protecting a web page, and inside that webpage there are links (in the form of:

Image

The user flow is as follows:

1. User access to https://first_RP/private.
2. The user get redirected to KeyCloak for authentication.
3. Upon succesful authentication the user gets access to https://firts_RP and load an index.html that has links to images in https://second_RP.
4. No image is shown. We see HTTP error code 401 Unauthorized in the call that should fetch de image.

Ini this situation, if a open that link in another tab, the image gets correctly loaded and in the background I can see how there is communication with keycloac, but as I have already a session when I authenticated to first_RP I am not requred to auth again.

Now, if I refresh the page https://first_RP/private now I can see the embedded image. I suppose this is related to browser security. Is there a way to bypass this situation somehow?

Thanks in advanced,

Xisco.

[zandbelt]

there's a way to make that work by fiddling with OIDCUnAuthAction, https://github.com/zmartzone/mod_auth_openidc/blob/v2.4.12.1/auth_openidc.conf#L840-L886, but it somes with limitations (timeouts etc.) and a far better and consistent solution is to serve both from the same server or reverse proxy