Rest api authentication and Keycloak User

I can try to describe my situation:
React App , Jmix APP (Back end with rest api + standard ui access) , Keycloack.
I’ve a react app (without login) that call rest api services of my jmix app.
This react app calls rest api on my jmix-app ( jmix-oidc addon, rest api addon) to serve my bussiness logic.
React App and Jmix App use keycloack for authentication.
My problem is that a session cookie is saved at the first api request and than accessing to standard login of jmix app, keycloak “read” an active session. This session is of a wrong user (that is for rest api calls).
I want that the react app must be session less. Is possible?

Any suggestions?

Thanks a lot.


Could you please explain the flow in more details?

  1. I’ve a react app (without login). What do you mean here? How do you get the access token from keycloak using react app? Some “hardcoded” user credentials?
  2. What request do you send to Jmix REST API?
  3. What cookie is saved?

Hi Maxim,

  1. My React page is public and i use user (hardcoded) to access rest api. This user is “called” (react-app-user). This web app will avaiable on private network.
  2. I send get and post requests.
  3. SESSIONID is saved when the first authentication perform ( with react-app-user ).
    Thank you for reply.


Unfortunately, I couldn’t reproduce the issue.
What endpoints do you access? Are they standard REST API endpoints (/rest/entities/User/**, etc.) or your custom controllers?
It will be great if you provide a very simple sample application where the problem can be reproduced: the react app which just obtains the token and accesses Jmix application and Jmix app with a single controller (if any).