Hi all,

we have a special requirement from one of our clients to implement a SSO which would allow sending of access tokens as query parameters.
I'm aware of the security risks, but it will be used as a SSO solution for internal web applications, so I guess the risk is lower due to that fact.
The reason why it should be in an URL is because some of the applications work on specific older versions of browsers (and will not be upgraded due to cost and complexity) so we have to use custom Windows protocols (https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-ph-install-registration) to be able to 'invoke' specific application in another browser while passing a token.
We would like to avoid custom development of SSO, and we are considering using Keycloak.
I've done some research and it seems that Keycloak supports usage of access tokens in URLs, at least based on some older posts:
https://lists.jboss.org/pipermail/keycloak-user/2018-July/014733.html

I've started Keycloak server locally via docker and make a sample Java Spring application and was able to integrate its security with Keycloak.
But when I've tried to send access_token parameter in URL in another browser, e.g. MS Edge (without headers/cookies of course) I've received 401. My url looks like this: http://localhost:8080/hello?access_token=938fb683-b854-4604-a5cf-ca8e5e651578

So my question is, is this actually possible to achieve via Keycloak but I'm doing something wrong while testing?
I've also tried to start Keycloak locally and try to debug it in order to see what do I get in protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) and could I somehow check token send via query param and authenticate. But I was unsuccessful in starting Keycloak locally, I got some errors (build was ok) when following instructions in https://github.com/keycloak/keycloak/blob/main/docs/building.md

So I've decided to ask a question before I dig deeper and spend more time on research.

Best regards,
Igor