Skip to content

Keycloak SSO (Mobile + MiniApps)

Goals

  • The native super-app owns the user’s Keycloak session.
  • Miniapps never receive refresh tokens.
  • Miniapps operate with short-lived, scoped, auditable sessions.
  1. Native app authenticates using Authorization Code + PKCE.
  2. Native app calls emali2-miniapps to mint a miniapp-scoped session for a specific miniapp.
  3. Miniapp calls Emali 2.0 APIs through the BFF/proxy using that scoped session.

Notes

  • Avoid Resource Owner Password Grant for mobile.
  • Enforce step-up auth policies for money movement.