Setting up and integrating Keycloak with 1C-Bitrix website management via API
The project provides several scenarios for user authorization on the B2B platform. We will show the API operation on a more complex one.
Integration of b2b platform with keycloak.jpg
Keycloack integration scheme with B2B platform.
To ensure that users do not feel the transition kuwait telegram number database between systems, everything was done using hidden redirects.
To do this, we decided from the very beginning on the link to which we will redirect the user. Any link for interaction with keycloak is built on the following principle:
<keycloakUrl> – This is the base URL where the authentication server is deployed, for example https://your-keycloak-domain.com
<realmName> – a realm created on the Keycloak side, used to organize users, clients and security settings.
Methods <method> can be:
auth – used to start the user authentication process;
logout – used to log the user out of the system;
token – used to obtain, update or revoke tokens;
userinfo – used to get information about the user.
The following act as GET parameters <params> :
response_type – the response code we expect in the response. Usually this is code for the authorization code.
scope – the scope of access we want to work in. Typically includes openid and may include other scopes such as profile or email .
client_id – The client ID used for authentication.
redirect_uri – URI where Keycloak will redirect the user after authentication with the authorization code. redirect_uri should be percent-encoded. You can put an authentication handler in this link.
All constant parameters were moved to the module settings and are specified during the initial integration setup.
Module settings.png
If the settings are empty, authorization will not work.
When a user visits the site, instead of an authorization form, he is taken to a link of the following type:
https://your-keycloak-domain.com/auth/r ... response_t...
Next, it is identified on the Keycloak side.
If a user is authorized in the company's Unified Personal Account (UPA), but their Keycloak profile does not allow them to access the B2B platform, they will not be able to access it.
If the user is authorized in the ELC, he is immediately redirected to the redirect_uri link, where the code (authorization code) is passed in the GET parameters .
You can't get user information using code , but you can get access_token . This is necessary for the following reasons:
Code is transmitted via the user's browser and can be intercepted. Therefore, it does not provide direct access to the user's resources. Access_token is transmitted securely.