SSO Attributes

OIDC SSO Attributes Demo

Laravel 11

This application demonstrates two ways to access protected resources using Keycloak as the identity provider. After authentication, the /secure/attributes page displays every claim released by Keycloak.

Login with Keycloak View Attributes Page

Method 1 — Web Browser SSO

Authorization Code

Standard OIDC Authorization Code flow. No extra packages needed — implemented manually using Laravel's HTTP client to call Keycloak endpoints.

  • User clicks Login with Keycloak — browser redirected to Keycloak authorize endpoint
  • Keycloak authenticates the user, redirects back to /auth/callback?code=…&state=…
  • Callback handler validates state, exchanges code for tokens at the token endpoint
  • Calls /protocol/openid-connect/userinfo with the access_token to fetch user claims
  • Claims stored in a server-side session — user redirected to /secure/attributes
Try Web SSO

Method 2 — Mobile App Session Bootstrap

Flutter / PKCE

The Flutter app authenticates with Keycloak using Authorization Code + PKCE (no client secret in the app), then hands the access_token to this backend to create a server-side session. The session cookie is injected into an in-app WebView.

  • Flutter authenticates with Keycloak (Auth Code + PKCE) → receives access_token
  • Flutter calls POST /api/session/bootstrap with Authorization: Bearer <token>
  • Backend introspects token at Keycloak, creates a Laravel session, returns session_id
  • Flutter injects PHPSESSID=<session_id> cookie into the in-app WebView
  • WebView loads /secure/attributes — session found, claims rendered
curl example
# 1. Get a token (password grant — for testing only) TOKEN=$(curl -sf -X POST \ https://keycloak.sifulan.dev/realms/sifulan/protocol/openid-connect/token \ -d grant_type=password \ -d client_id=oidc-demo-sso-portal \ -d username=YOUR_USER \ -d password=YOUR_PASS | jq -r .access_token) # 2. Bootstrap a session SESSION=$(curl -sf -X POST \ https://sso-attributes.sifulan.dev/api/session/bootstrap \ -H "Authorization: Bearer $TOKEN" | jq -r .session_id) # 3. Access the protected page curl -s -H "Cookie: PHPSESSID=$SESSION" \ https://sso-attributes.sifulan.dev/secure/attributes | jq .