To configure a minimal required Keycloak setup, follow these steps:
Recommended keycloak version: 18.0.x
For more detailed information, refer to the official Keycloak documentation:
A realm is a space where you manage objects, including users, applications, roles, and groups. To create a new realm:
If you are logged in to the master realm this dropdown menu lists all the realms created. The Add Realm page opens.
You can either create or import a user group into a realm. We prepared a script that helps you to import a super admin group provided with the necessary default user roles.
You can create or import user groups into a realm. If you choose to import, follow the provided script to import a super admin group (SUPER_ADMIN_USERS
) with default user roles. After importing, add an admin user to the group and assign the necessary roles.
Make sure to validate the imported roles by checking the following section:
To create a new user in a realm and generate a temporary password:
FLOWX_SUPER_USERS
.A Client represents an instance of an application. A client is attached to a specific realm. First, add platform-authenticate
client - will be used for login/logout/refresh token by web and mobile apps.
{example}-authenticate
, which will be used for login, logout, and refresh token operations.openid-connect
.{example}-authenticate
client.Refer to the next section on how to add mappers and which mappers to clients.
Protocol mappers in Keycloak allow for the transformation of tokens and documents, enabling actions such as mapping user data into protocol claims or modifying requests between clients and the authentication server.
To enhance your clients, consider adding the following mappers:
realm-groups
: This mapper can be utilized to map user groups to the authorization token.business filter mapper
: Use this mapper to map custom attributes, for example, mapping the businessFilters list, to the token claim.realm-roles
: This mapper enables mapping a user’s realm role to a token claim.By incorporating these mappers, you can further customize and enrich the information contained within your tokens.
To add a group membership mapper:
{example}-authenticate
groups
.By configuring the group membership mapper, you will be able to include the user’s group information in the token for authorization purposes.
To include custom attributes such as business filters in the token claim, you can add a user attribute mapper with the following settings:
{example}-authenticate
, and navigate to the Mappers section.By adding this user attribute mapper, the custom attribute “businessFilters” will be included in the token claim under the name “attributes.businessFilters”. This will allow you to access and utilize the business filters information within your application.
You can find more information about business filters in the following section:
Add roles mapper to {example}-authenticate
client - so roles will be available on the OAuth user info response.
To add a roles mapper, follow these steps:
{example}-authenticate
, and navigate to the Mappers section.By adding this roles mapper, the assigned realm roles of the user will be available in the OAuth user info response under the claim name “roles”. This allows you to access and utilize the user’s realm roles within your application.
Please note that you can repeat these steps to add multiple roles mappers if you need to include multiple realm roles in the token claim.
Add {example}-platform-authorize
client - it will be used to authorize rest requests to microservices and Kafka
Once you have configured these settings, the {example}-platform-authorize
client will be created and can be used to authorize REST requests to microservices and Kafka within your application.
What is a service account?
A service account is an account that grants direct access to the Keycloak API for a specific component.
Each client has a built-in service account which allows it to obtain an access token. To use this feature you must set the Access Type of your client to confidential. When you do this, the Service Accounts Enabled switch will appear.
The admin service account is employed by the admin microservice to establish a connection with Keycloak for the purpose of utilizing user and group management features within the designer.
Follow these steps to add an admin service account:
Make sure first that you created a realm-management client with the following client roles:
In the provided example, the admin service account can have the following assigned roles, depending on the required access scopes:
The admin service account does not require mappers as it doesn’t utilize roles. Service account roles include client roles from the realm-management
.
For detailed information, refer to the following section:
The task management service account is utilized to facilitate process initiation, enable the use of the task management plugin (requiring the FLOWX_ROLE
and role mapper), and access data from Keycloak.”
The task management microservice requires a service account to make direct calls to the Keycloak API. Follow these steps to add a task management service account:
Example for view-users:
FLOWX_ROLE
.In the provided example, the task management service account can have the following assigned roles, depending on the required access scopes:
For more information, check the following section:
The process engine requires a process engine service account to make direct calls to the Keycloak API.
This service account is needed so the use of Start Catch Event node is possible.
Follow these steps to add a process engine service account:
Add a new client by selecting Clients then click Create.
Next, set Access type as confidential and enable Service Accounts.
This service account does not require client roles.
FLOWX_ROLE
(this is needed to run process instances).This service account is used for Start Timer Event node. The registered timers in the scheduler require sending a process start message to Kafka. Authentication is also necessary for this operation.
Follow these steps to add a scheduler service account:
Add a new client by selecting Clients then click Create.
Next, set Access type as confidential and enable Service Accounts.
FLOWX_ROLE
as service account role (this is needed to run process instances).To configure a minimal required Keycloak setup, follow these steps:
Recommended keycloak version: 18.0.x
For more detailed information, refer to the official Keycloak documentation:
A realm is a space where you manage objects, including users, applications, roles, and groups. To create a new realm:
If you are logged in to the master realm this dropdown menu lists all the realms created. The Add Realm page opens.
You can either create or import a user group into a realm. We prepared a script that helps you to import a super admin group provided with the necessary default user roles.
You can create or import user groups into a realm. If you choose to import, follow the provided script to import a super admin group (SUPER_ADMIN_USERS
) with default user roles. After importing, add an admin user to the group and assign the necessary roles.
Make sure to validate the imported roles by checking the following section:
To create a new user in a realm and generate a temporary password:
FLOWX_SUPER_USERS
.A Client represents an instance of an application. A client is attached to a specific realm. First, add platform-authenticate
client - will be used for login/logout/refresh token by web and mobile apps.
{example}-authenticate
, which will be used for login, logout, and refresh token operations.openid-connect
.{example}-authenticate
client.Refer to the next section on how to add mappers and which mappers to clients.
Protocol mappers in Keycloak allow for the transformation of tokens and documents, enabling actions such as mapping user data into protocol claims or modifying requests between clients and the authentication server.
To enhance your clients, consider adding the following mappers:
realm-groups
: This mapper can be utilized to map user groups to the authorization token.business filter mapper
: Use this mapper to map custom attributes, for example, mapping the businessFilters list, to the token claim.realm-roles
: This mapper enables mapping a user’s realm role to a token claim.By incorporating these mappers, you can further customize and enrich the information contained within your tokens.
To add a group membership mapper:
{example}-authenticate
groups
.By configuring the group membership mapper, you will be able to include the user’s group information in the token for authorization purposes.
To include custom attributes such as business filters in the token claim, you can add a user attribute mapper with the following settings:
{example}-authenticate
, and navigate to the Mappers section.By adding this user attribute mapper, the custom attribute “businessFilters” will be included in the token claim under the name “attributes.businessFilters”. This will allow you to access and utilize the business filters information within your application.
You can find more information about business filters in the following section:
Add roles mapper to {example}-authenticate
client - so roles will be available on the OAuth user info response.
To add a roles mapper, follow these steps:
{example}-authenticate
, and navigate to the Mappers section.By adding this roles mapper, the assigned realm roles of the user will be available in the OAuth user info response under the claim name “roles”. This allows you to access and utilize the user’s realm roles within your application.
Please note that you can repeat these steps to add multiple roles mappers if you need to include multiple realm roles in the token claim.
Add {example}-platform-authorize
client - it will be used to authorize rest requests to microservices and Kafka
Once you have configured these settings, the {example}-platform-authorize
client will be created and can be used to authorize REST requests to microservices and Kafka within your application.
What is a service account?
A service account is an account that grants direct access to the Keycloak API for a specific component.
Each client has a built-in service account which allows it to obtain an access token. To use this feature you must set the Access Type of your client to confidential. When you do this, the Service Accounts Enabled switch will appear.
The admin service account is employed by the admin microservice to establish a connection with Keycloak for the purpose of utilizing user and group management features within the designer.
Follow these steps to add an admin service account:
Make sure first that you created a realm-management client with the following client roles:
In the provided example, the admin service account can have the following assigned roles, depending on the required access scopes:
The admin service account does not require mappers as it doesn’t utilize roles. Service account roles include client roles from the realm-management
.
For detailed information, refer to the following section:
The task management service account is utilized to facilitate process initiation, enable the use of the task management plugin (requiring the FLOWX_ROLE
and role mapper), and access data from Keycloak.”
The task management microservice requires a service account to make direct calls to the Keycloak API. Follow these steps to add a task management service account:
Example for view-users:
FLOWX_ROLE
.In the provided example, the task management service account can have the following assigned roles, depending on the required access scopes:
For more information, check the following section:
The process engine requires a process engine service account to make direct calls to the Keycloak API.
This service account is needed so the use of Start Catch Event node is possible.
Follow these steps to add a process engine service account:
Add a new client by selecting Clients then click Create.
Next, set Access type as confidential and enable Service Accounts.
This service account does not require client roles.
FLOWX_ROLE
(this is needed to run process instances).This service account is used for Start Timer Event node. The registered timers in the scheduler require sending a process start message to Kafka. Authentication is also necessary for this operation.
Follow these steps to add a scheduler service account:
Add a new client by selecting Clients then click Create.
Next, set Access type as confidential and enable Service Accounts.
FLOWX_ROLE
as service account role (this is needed to run process instances).