What changed at the platform level
Service-account client renames
Every FlowX service authenticates to Keycloak through a service-account client. On 5.9.x these clients all follow theflowx-{service-name}-sa pattern, in the dedicated service-accounts realm (00000002-0002-4002-8002-000000000002).
On a 5.1 β 5.9 upgrade, the authorization-system service migrates the existing flowx realm β renaming it to your organization ID β and provisions the new service-accounts realm at first boot, including the clients below. The list is provided as a verification reference and as the source list for the Manual Keycloak Configuration path.
flowx-anonymous-sa uses a dedicated, low-privilege realm role. Unlike the other service-account clients above, this one is not assigned SA_FLOWX. The migration creates a new SA_FLOWX_ANONYMOUS realm role in the service-accounts realm and assigns it only that role. This caps the blast radius if the token leaks: an attacker can only invoke endpoints reachable to an anonymous internet visitor on processes or UI flows that explicitly opted into the Anonymous runtime role.Manual Keycloak Configuration path. If your environment does not allow FlowX to administer Keycloak directly (for example, restricted enterprise deployments), follow the Manual Keycloak Configuration recipe. On this path the realm rename is your responsibility: the user realmβs Realm name must equal your organization ID, because services resolve the organization from the token issuer URI (
<auth-server>/realms/<organization-id>). See Manual Keycloak configuration for the complete realm, client, and mapper setup.End-user group membership from Keycloak or an external IDP. This page covers authentication only. If your 5.1.x setup sources end-user group membership from Keycloak groups or a federated IDP β rather than administering it in FlowX after the upgrade β that membership reaches runtime authorization through the
attributes.runtimeGroups token claim, which needs a mapper that is not provisioned automatically. See Runtime authorization migration β keeping group membership in Keycloak and the Runtime groups attribute mapper setup steps.Remove legacy authentication env vars
Strip the following from every serviceβs Helm values / env files. These belong to the opaque-token introspection model and will prevent services from starting on 5.9.x.New required env vars
Add the following across all services. Defaults shown are the canonical 5.9.x defaults. Override only when your environment requires a different value.On every service (19 of 19)
ORGANIZATION_ID is not required on every service. Only on the 9 services that backfill organization_id columns via Liquibase (application-manager, authorization-system, cms-core, document-plugin, integration-designer, notification-plugin, organization-manager, process-engine, scheduler-core). The license service consumes the same UUID through a separate env var, FLOWX_LICENSE_ORGANIZATIONID. See Organization & deployment configuration for the exact behavior across fresh-install vs upgrade scenarios.On the 8 services that initiate service-to-service calls
These services have aMAINIDENTITY client registration that follows the new service-account naming convention.
On authorization-system (master-realm administration)
By default, the authorization-system performs realm migrations on startup and needs master-realm admin credentials. This behavior is controlled by SECURITY_KEYCLOAKADMINENABLED, which defaults to true (FlowX administers Keycloak).
The admin user supplied here must hold the Admin role on the master realm with permission to create realms β the migrations provision a new user realm and a service-accounts realm at first boot, and they also create clients, users, and service accounts in those realms.
When
SECURITY_KEYCLOAKADMINENABLED=false, FlowX does not manage Keycloak realms and the SECURITY_MASTERREALM_* credentials are not needed. Use the Manual Keycloak Configuration path to create the realms and service accounts yourself. The same flag governs the data-sync master-realm credentials below.authorization-system. One per service, via SPRING_LIQUIBASE_PARAMETERS_SECRETS_SERVICE_ACCOUNTS_FLOWX_*_SA (13 secrets in total, matching the service-account clients listed above).
On data-sync (runtime authorization migration)
The runtime-authorization migration step in data-sync connects directly to Keycloak to refresh runtime user/group/role assignments. Configure the same master-realm admin credentials on data-sync:
These reuse the master-realm admin you set on
authorization-system. They are required for the runtime-authorization migration to complete; without them, data-sync cannot refresh runtime role assignments and post-migration login validation fails.Configure SMTP in Keycloak
On 5.9.x, Keycloak is the system of record for password resets and user invitations. Configure an SMTP server on each Keycloak realm that will issue invitations. At minimum the user realm. Without SMTP, invitations and password-reset flows fail silently. See your Keycloak documentation for the realm-level SMTP settings (host, port, encryption, sender address, credentials). FlowX-issued invitation emails are templated by Keycloak.On self-hosted deployments this SMTP configuration is yours to set directly in Keycloak β it is not provisioned for you. See Email (SMTP) configuration for the field-by-field steps.
What happens to existing tokens and sessions
- Existing user sessions are invalidated by the realm transition. Users must sign in again after the upgrade.
- Existing service-account tokens are invalidated. The new
flowx-{service}-saclients re-establish service-to-service authentication on first request. - Existing API tokens issued to integration partners must be re-issued from the new service-accounts realm.
Verify the configuration
After services boot on 5.9.x, confirm:The two Keycloak realms exist. User realm (named with your organization ID) + service-accounts realm (
00000002-0002-4002-8002-000000000002).Every service-account client listed above exists in the service-accounts realm and has client credentials configured.
All services started cleanly. Service logs show JWT validation rather than opaque-token introspection. Search for
jwt-public-key in startup logs.Test user sign-in completes end to end against the user realm.
Test password-reset email arrives (validates Keycloak SMTP).
Related resources
Configuring an IAM solution
Full Keycloak realm, client, and mapper setup, including the Manual Keycloak Configuration recipe.
Access Management overview
How authentication and authorization fit together in 5.9.x.
Runtime authorization migration
Next step. The runtime authorization rewrite that depends on this auth foundation.
Organization & deployment configuration
ORGANIZATION_ID propagation and the new license service.
