![[Webinar] AI Is Already Inside Your SaaS Stack — Learn How to Prevent the Next Silent Breach](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOWn65wd33dg2uO99NrtKbpYLfcepwOLidQDMls0HXKlA91k6HURluRA4WXgJRAZldEe1VReMQZyyYt1PgnoAn5JPpILsWlXIzmrBSs_TBoyPwO7hZrWouBg2-O3mdeoeSGY-l9_bsZB7vbpKjTSvG93zNytjxgTaMPqo9iq9Z5pGa05CJOs9uXpwHFT4/s1600/ai-cyber.jpg?#)
![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![Rogue Company Elite tier list of best characters [April 2025]](https://media.pocketgamer.com/artwork/na-33136-1657102075/rogue-company-ios-android-tier-cover.jpg?#)
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Apple Watch Series 10 Back On Sale for $299! [Lowest Price Ever]](https://www.iclarified.com/images/news/96657/96657/96657-640.jpg)
![EU Postpones Apple App Store Fines Amid Tariff Negotiations [Report]](https://www.iclarified.com/images/news/97068/97068/97068-640.jpg)
![Apple Slips to Fifth in China's Smartphone Market with 9% Decline [Report]](https://www.iclarified.com/images/news/97065/97065/97065-640.jpg)
How to implement SSO between two web applications, one embedded into the other (iframe)?
I have a web application protected by Keycloak with Resource Owner Password Credentials Grant. Both the frontend and the backend APIs are protected. I need to embed the frontend into a third party application, protected by its own Identity Provider. The user should log into the third party application and automatically get access to mine, which should be rendered into an iframe, without having to log in again. What is the recommended or most convenient approach to implement the authentication flow between the two systems? Should the access token issued by the third party IdP be exchanged with a Keycloak-issued token?
I have a web application protected by Keycloak with Resource Owner Password Credentials Grant. Both the frontend and the backend APIs are protected. I need to embed the frontend into a third party application, protected by its own Identity Provider. The user should log into the third party application and automatically get access to mine, which should be rendered into an iframe, without having to log in again. What is the recommended or most convenient approach to implement the authentication flow between the two systems? Should the access token issued by the third party IdP be exchanged with a Keycloak-issued token?