Although pac4j's APIs helped a lot in order to lower the code complexity of logging a user into Admincentral using Keycloak as an identity provider, the module still could do more.

One common scenario is a user logging into an area of a public website through Facebook, Twitter, GitHub, etc. SSO authentication.

A back-end server is needed in those cases because without it, the front-end application would need to store the application ID and secret in the front-end code directly, which is unsafe, as it can be read easily.

Luckily, Magnolia and pac4j can chime in. pac4j ships a ton of pre-configured clients: http://www.pac4j.org/docs/clients/oauth.html

What we would need to do would be to provide configurable endpoints, such as the following simple project does: https://github.com/jooby-project/pac4j-starter

This has little to do with the current use case the module is solving. Magnolia components such as the login and logout filters, the UserManager, the ExternalUser, etc. can be left out from such a scenario.

I therefore suggest to split the module into two or three distinct submodules:

• one for Admincentral login with Keycloak for our cloud
• one for easy front-end integrations for customers
• one for common components