Skip to content

Home

Jump to bottom
Spencer Rose edited this page Jul 11, 2025 · 2 revisions

SSO Gateway

The SSO Gateway acts as a bridge between web applications and the BC Government Common Hosted Single Sign-On Keycloak IdP for secure Single Sign-On (SSO) and centralized authentication. It is designed for deployment in environments like OpenShift or Kubernetes, fronted by an NGINX reverse proxy. The Node.js gateway client uses the OpenID Connect (OIDC) protocol via the openid-client library.

Use-Cases

Authentication for Backend Applications

  • Provides a unified authentication endpoint for multiple backend web applications.
  • Handles the full OpenID Connect Authorization Code flow with Keycloak.
  • Ensures only authenticated users can access protected resources behind the gateway.

Session Management and Scalability

  • Stores session state in Redis, enabling stateless application pods and horizontal scaling.
  • Offloads session/token management from individual applications to the gateway.

Integration with NGINX and Reverse Proxies

  • Designed to work seamlessly with NGINX, which proxies requests to backend apps only after successful authentication.
  • Supports scenarios where applications are not directly exposed to the internet and rely on the gateway for user authentication.

Supports Multiple Downstream Applications

  • Acts as a single point of authentication for multiple protected services (microservices, web apps) within the cluster.
  • Simplifies SSO integration for legacy or third-party apps that cannot easily integrate native OIDC flows.

Customizable Authentication Logic

  • Since it is built in Node.js with openid-client, custom logic (e.g., user filtering, claim mapping, logging) can be added.
  • Not tied to Keycloak-specific frontend features; can be adapted to other OIDC-compliant IdPs if needed.

Notable Non-Use-Cases

  • Not for use in browser-based Single Page Applications (SPAs) that require direct integration with Keycloak’s JavaScript APIs, session status monitoring, or silent token refresh in the browser.
  • Not a replacement for keycloak-js when deep integration with Keycloak’s frontend features (such as SSO session detection, login UI, or Keycloak account management) is required.

Typical Deployment Scenarios

  • Authenticating users for internal dashboards, admin portals, or legacy apps running behind an ingress controller.
  • Providing SSO for multiple services in a microservice architecture.
  • Enabling SSO in environments where direct integration with Keycloak or OIDC in every app is impractical or undesirable.
Clone this wiki locally