Prerequisites
Before you begin, ensure you have the following:- Keycloak installed
- Administrative access to the Keycloak server
- Basic understanding of IAM concepts
Recommended Keycloak setup
To configure a minimal required Keycloak setup, in this guide we will covere the following steps:Create a new realm
Create/import user roles and groups
Create new users
Add clients
Add mappers
Add service accounts
Keycloak documentation
Creating a new realm
A realm is a space where you manage objects, including users, applications, roles, and groups. Creating a new realm is the first step in setting up Keycloak. Follow the steps below to create a new realm in Keycloak:Log in to the Keycloak Admin Console

Create Realm
Enter Realm Details

Configure Realm Settings


- Ensure that the realm name is unique within your Keycloak instance.
- Double-check session idle and token lifespan settings to align with your security requirements.
Creating/importing user groups and roles
User groups and roles are essential for managing user permissions and access levels within a realm. You can either create or import user groups into a realm.Download and Run the Import Script
Download script
- Unzip the downloaded file.
- Open a terminal and navigate to the unzipped folder.
- Run the script using the appropriate command for your operating system.
Add Admin User to Group

Validate imported roles
- Ensure the script has the necessary permissions to run on your system.
- Verify that the roles and groups align with your organizational structure.
Creating new users
Creating new users is a fundamental part of managing access within Keycloak. Follow these steps to create a new user in a realm and generate a temporary password:Navigate to Users
Add a New User

Assign User to Group
FLOWX_SUPER_USERS
and click Join.
Set Temporary Password

- Ensure that the email address is valid and correctly formatted.
- Set the temporary password policy according to your organizationβs security requirements.
Adding clients
A client represents an instance of an application and is associated with a specific realm.Adding an OAuth 2.0 client
Weβll add a client namedflowx-platform-authenticate
, which will be used for login, logout, and refresh token operations by web and mobile apps.
Navigate to Clients

Configure General Settings
- Set a client ID to
{your-client-name}-authenticate
. - Set the Client type to
OpenID Connect
.

Configure Capability Config
- Enable Direct Access Grants.
- Enable Implicit Flow Enabled.

Set Valid Redirect URIs
- Set Valid redirect URIs, specifying a valid URI pattern that a browser can redirect to after a successful login or logout, simple wildcards are allowed.

Configure Additional Settings
- Backchannel Logout Session Required: Toggle OFF.
- Front Channel Logout: Toggle OFF.

Add Mappers
{your-client-name}-authenticate
client.Adding an Authorizing client
To authorize REST requests to microservices and Kafka, create and configure the{your-client-name}-platform-authorize
client.
Create the Client
{your-client-name}-platform-authorize
).Set Client type to OpenID Connect.
Configure Capability Config

Set Valid Redirect URIs

Configure Additional Settings
- Backchannel Logout Session Required: Toggle OFF.
- Front Channel Logout: Toggle OFF.

{your-client-name}-platform-authorize
client will be created and can be used to authorize REST requests to microservices and Kafka within your application.
Example configuration for microservices
Below is an example of a minimal configuration for microservices using OAuth2 with the{your-client-name}-platform-authorize
client:
Configuration Key | Value/Example | Description |
---|---|---|
security.type | oauth2 | Specifies the security type as OAuth2. |
security.basic.enabled | false | Disables basic authentication. |
security.oauth2.base-server-url | http://localhost:8080 | Sets the base server URL for the Keycloak server. |
security.oauth2.realm | flowx | Specifies the Keycloak realm. |
security.oauth2.client.access-token-uri | ${security.oauth2.base-server-url}/realms/${security.oauth2.realm}/protocol/openid-connect/token | Defines the URL for obtaining access tokens. |
security.oauth2.client.client-id | your-client-name-platform-authorize | Sets the client ID for authorization. |
security.oauth2.client.client-secret | CLIENT_SECRET | Provides the client secret for authentication. |
security.oauth2.resource.user-info-uri | ${security.oauth2.base-server-url}/realms/${security.oauth2.realm}/protocol/openid-connect/userinfo | Specifies the URL for retrieving user information. |
Adding protocol mappers
Protocol mappers in Keycloak allow you to transform tokens and documents, enabling actions such as mapping user data into protocol claims and modifying requests between clients and the authentication server. This provides greater customization and control over the information contained in tokens and exchanged during authentication processes.
- Group Membership mapper (
realm-groups
)- Maps user groups to the authorization token.
- User Attribute mapper (
business filter mapper
)- Maps custom attributes, for example, mapping the businessFilters list, to the token claim.
- User Realm role (
realm-roles
)- Maps a userβs realm role to a token claim.
/userinfo
endpoint, in addition to being included in tokens. This capability is a feature that not all Identity Providers (IDPs) support.Group Membership mapper
Steps to add a Group Membership mapper:Navigate to Clients

Select Client Scopes
{your-client-name}-authenticate-dedicated
to open its settings.
Client Scope

Add a New Mapper

Provide Mapper Details
realm-groups
.Token Claim Name: Set the token claim name, typically as groups
, for including group information in the token.Add to ID Token: Toggle OFF.
User Attribute mapper
To include custom attributes such as business filters in the token claim, follow these steps to add a user attribute mapper:Navigate to Client Scopes
{your-client-name}-authenticate-dedicated
to open its settings.Ensure the Mappers tab is selected.Add a New Mapper

Provide Mapper Details
- Mapper Type: Select User Attribute.
- Name: Enter a descriptive name for the mapper, such as βBusiness Filters Mapperβ.
- User Attribute: Enter
businessFilters
. - Token Claim Name: Enter
attributes.businessFilters
. - Add to ID Token: Toggle OFF.
- Multivalued: Toggle ON.

Business filters
User realm role mapper
To add a roles mapper to the{your-client-name}-authenticate
client, so roles will be available in the OAuth user info response, follow these steps:
Navigate to Client Scopes
{your-client-name}-authenticate-dedicated
to open its settings.Ensure the Mappers tab is selected.Add a New Mapper

Provide Mapper Details
- Name: Enter a descriptive name for the mapper, such as βRoles Mapperβ.
- Mapper Type: Select User Realm Role.
- Token Claim Name: Enter
roles
. - Add to ID Token: Toggle OFF.
- Add to access token: Toggle OFF.

Examples
Login
To request a login token:Refresh token
To refresh an existing token:User info
To retrieve user information:Adding service accounts
Admin service account
The admin service account is used by the admin microservice to connect with Keycloak, enabling user and group management features within the FlowX.AI Designer. Steps to add an Admin service account:Create the Client

Configure Capability Config
- Enable Client authentication (access type).
- Disable Standard flow.
- Disable Direct access grants.
- Enable Service accounts roles.

Configure Additional Settings
- Backchannel Logout Session Required: Toggle OFF.
- Front Channel Logout: Toggle OFF.

Assign Roles to Service Account


- manage-realm
- manage-users
- query-users


realm-management
.Configuring access rights for admin
Task Management service account
The task management service account facilitates process initiation and enables the use of the task management plugin (requiring theFLOWX_ROLE
and role mapper), and access data from Keycloak.
Steps to Add a Task Management service account:
Create the Service Account
Assign Necessary Roles
- view-realm
- view-users


Add a Realm Roles Mapper
{your-client-name}-service-account
to open its settings.
Configure the Mapper
realm-roles
.Token Claim Name: Set it to roles
.Disable Add to ID token.

Add the Service Account Realm Role
FLOWX_ROLE
service account realm role (used to grant permissions for starting processes).FLOWX_ROLE
is used to grant permissions for starting processes in the FlowX.AI Designer platform. By default, this role is named FLOWX_ROLE
, but its name can be changed from the application configuration of the Engine by setting the following environment variable:FLOWX_PROCESS_DEFAULTROLES
Configuring access rights for Task Management
Process engine service account
The process engine requires a process engine service account to make direct calls to the Keycloak API.- 1-3: Follow the same steps as in the Admin Service Account Configuration: Admin service account:
- Add the
FLOWX_ROLE
service account realm role (used to grant permissions for starting processes):


- Add a realm-roles mapper:

Scheduler service account
- Assign the
FLOWX_ROLE
as service account role (this is needed to run process instances).

- Add a realm-roles mapper (as shown in the example for process-engine service account).
