I‘m struggling setting up a secured application with an OpenID provider.
What I have done:
- Set up KeyCloak Server
- Created simple php Application
- Loaded jumbojett library
- Configured client
What am I doing:
- Try to access my application
- Get redirected to my KeyCloak instance
- Log in successfully
- Get redirected to my application
What the problem is:
The redirect url to my application contains some get parameters as code and so on. The problem is, when I refresh the page, I get an error message: the code can only be used once.
My question is, how can I provide a proper url, which the user can refresh?
I did some research and discovered that I didn’t really understand the flow of authentication.
So after the user is redirected to my application, I had to store the Refresh Token in a Session Variable. Afterwards, I was able to redirect the user to the new page.
On the new page I had to check, if a Refresh Token has been stored and if it was valid. If so, I can show the user the content, otherwise, I have to redirect the user to the login page.