I have an SPA web app using openidconnect for authentication and authorization with local keycloak. This app is now moving to an windows onprem infrastructure using AD, kerberos tickets and a central SSO. users log in in their windows session, and then we shall be able to transparently login in our SPA web app. (ie with out entering credentials) How can I convert kerberos ticket/authentication into Openidconnect world? Where is the magic? Shall we add some kerberos in our app? how can we retrieve our access token containing the user role?
thanks
Your SPA should continue to talk to Keycloak using OIDC, and no code in the SPA should need to change. Your APIs will also continue to receive the same access tokens.
You should only need to configure Keycloak to use AD for authentication as an LDAP data source. Here is an article on how to do that. It is an infrastructure job rather than just a coding one, so I would recommend collaboration with AD administrators on the environment setup.
AD is only one possible authentication method, and by doing things this way you keep your options open. You are likely to need to perform account linking, eg to identify users the same before and after the migration. There may be some data setup involved here, eg ensure AD has the same emails as the existing system.