Sanborns: Keycloak (OpenID) Authentication Integration

Integration Route

Endpoint: /2251799858000009/embeddable-login-ui/

Integration Description

The client Sanborns has a virtual store at {store_final_domain} and the authentication integration is performed through a Keycloak server (documentation) owned by the client. This server is responsible for authenticating users.

To efficiently manage authentication, an OpenID Connect–based integration is implemented.

Authentication Process

1. When a user wants to authenticate, the system always redirects to the external form provided by the authentication server.
2. Keycloak validates the user's data.
3. Once authentication is completed, the system returns with the necessary information to allow the user to access Publica.la.
4. Before each authentication, it ensures that there is no active session by forcing the closure of any previous session.

---

Full Authentication Flow

1. The user (guest) enters the store.
2. The user presses "Log in".
3. Carga de la integración:
   1. Forces the closure of any existing session.
   2. Redirects to the external login form and waits for return.
   3. The user authenticates on the form and returns to the store.
   4. The integration processes user data verification and validation.
   5. A JWT is generated with the email and external_id of the user to log in to Publica.la:
      • If the user does not exist, a new user is created.
      • If the user already exists, it is linked through email and external_id.
   6. The information is sent via postMessage to the host containing the iframe:
      • In the App, the Token is used.
      • In Web, it is identified with an Auth Token (documentation).
4. The user remains authenticated within the platform.
5. If the user decides to log out:
   • The session is closed in the store.
   • The user can restart the authentication flow if desired.

---

Representation of the Authentication Flow

---