Prerequisites
Before you begin, ensure you have the following:- Keycloak installed
- Administrative access to the Keycloak server
- Basic understanding of IAM concepts
Recommended Keycloak setup
To configure a minimal required Keycloak setup, this guide covers the following steps:Create a new realm
Create new users
Add clients
Add mappers
Add service accounts
Keycloak documentation
Creating a new realm
Log in to the Keycloak Admin Console

Create realm
Enter realm details
ORGANIZATION_ID parameter on the backend services. A friendly name such as the organization code can go in the Display name field under Realm settings โ General.
Configure realm settings


Creating new users
Creating new users is a fundamental part of managing access within Keycloak. Follow these steps to create a new user in a realm and generate a temporary password:Navigate to users
Add a new user

Set temporary password

Password policy
FlowX.AI enforces the following password policy for all user accounts:Adding clients
A client represents an application instance that is associated with a specific realm.Adding an OAuth 2.0 client
Add a client namedflowx-platform-authenticate, used for login, logout, and refresh token operations by web and mobile apps.
Navigate to Clients

Configure general settings
- Set a client ID to
{your-client-name}-authenticate. - Set the Client type to
OpenID Connect.

Configure capability config
- Enable Direct Access Grants.
- Enable Implicit Flow Enabled.

Set valid redirect URIs
- Set Valid redirect URIs, specifying a valid URI pattern that a browser can redirect to after a successful login or logout, simple wildcards are allowed.

FLOWX_DEFAULT_SECURITY_REALM_ALLOWEDREDIRECTURIS empty, the allowed list is derived from FLOWX_DEFAULT_DESIGNER_HOMEURI and FLOWX_DEFAULT_RUNTIME_HOMEURI with a /* suffix. See Organization Manager setup โ Self-hosted URL configuration.Configure additional settings
- Front Channel Logout: Toggle OFF.
- Backchannel Logout Session Required: Toggle OFF.

Add mappers
{your-client-name}-authenticate client.Example configuration for microservices
FlowX services validate incoming tokens using JWT public key validation. The shared security library (application-security-client.yaml) handles most configuration automatically.
Adding protocol mappers
Protocol mappers in Keycloak allow you to transform tokens and documents, enabling actions such as mapping user data into protocol claims and modifying requests between clients and the authentication server. This provides greater customization and control over the information contained in tokens and exchanged during authentication processes.
- Group Membership mapper (
realm-groups)- Maps user groups to the authorization token.
- User Attribute mapper (
business filter mapper)- Maps custom attributes, for example, mapping the businessFilters list, to the token claim.
- User Realm role (
realm-roles)- Maps a userโs realm role to a token claim.
/userinfo endpoint, but modern Keycloak versions support adding them to token introspection, which is the recommended approach for better security and performance.Group membership mapper
Steps to add a Group Membership mapper:Navigate to Clients

Select Client Scopes
{your-client-name}-authenticate-dedicated to open its settings.
Select client scope

Add a New Mapper

Provide mapper details
realm-groups.Token Claim Name: Set the token claim name, typically as groups, for including group information in the token.Add to ID Token: Toggle OFF.Add to token introspection: Toggle ON.
User attribute mapper
To include custom attributes such as business filters in the token claim, follow these steps to add a user attribute mapper:Navigate to Client Scopes
{your-client-name}-authenticate-dedicated to open its settings.Ensure the Mappers tab is selected.
Add a New Mapper
Provide mapper details
- Mapper Type: Select User Attribute.
- Name: Enter a descriptive name for the mapper, such as โBusiness Filters Mapperโ.
- User Attribute: Enter
businessFilter. - Token Claim Name: Enter
attributes.businessFilters. - Add to access token: Toggle ON.
- Add to token introspection: Toggle ON (recommended).
- Multivalued: Toggle ON.
- Aggregate attribute values: Toggle ON.

Business filters
Runtime groups attribute mapper
The runtime authorization service reads each userโs FlowX end-user group memberships from theattributes.runtimeGroups claim on the access token, matching every value against the names of end-user groups defined in FlowX by exact string comparison.
There are two ways to populate the claim, depending on where you maintain membership. Use one for a given group source, not both.
From native Keycloak groups
Use this when your end users are organized into Keycloak groups in the FlowX realm (for example, users imported into the realm and managed there). A Group Membership mapper emits the userโs group names directly asattributes.runtimeGroups.
Navigate to Client Scopes
flowx-platform-authenticate. Click Client Scopes and choose flowx-platform-authenticate-dedicated. Open the Mappers tab.Add a New Mapper
Provide mapper details
- Mapper Type: Select Group Membership.
- Name: Enter a descriptive name, such as โRuntime Groups Mapperโ.
- Token Claim Name: Enter
attributes.runtimeGroups. - Full group path: Toggle OFF. The claim then carries plain group names (for example
someGroup) instead of paths (/someGroup), so they match FlowX end-user group names. - Add to ID token: Toggle OFF.
- Add to access token: Toggle ON.
- Add to token introspection: Toggle ON.
From a federated identity provider
Use this when an external IDP supplies group membership through federation. The external IDP federation mapper writes the source claim into theflowxIdPGroups user attribute; a User Attribute mapper then promotes that attribute onto the access token as attributes.runtimeGroups.
Navigate to Client Scopes
flowx-platform-authenticate. Click Client Scopes and choose flowx-platform-authenticate-dedicated. Open the Mappers tab.Add a New Mapper
Provide mapper details
- Mapper Type: Select User Attribute.
- Name: Enter a descriptive name, such as โRuntime Groups Mapperโ.
- User Attribute: Enter
flowxIdPGroups. - Token Claim Name: Enter
attributes.runtimeGroups. - Add to access token: Toggle ON.
- Add to token introspection: Toggle ON (recommended).
- Multivalued: Toggle ON.
- Aggregate attribute values: Toggle ON.
attributes.runtimeGroups must match the names of end-user groups defined in FlowX. Federated logins populate flowxIdPGroups automatically through the external IDP federation mapper below.
Designer user attribute
ThedesignerUser user attribute is a boolean that flags whether a user has Designer access to the project. The flowx-platform-authenticate client exposes it on the access token as attributes.designerUser; the runtime authorization service reads the claim to skip role checks for designers running their own projects.
In FlowX-managed Keycloak deployments the attribute is set automatically at organization provisioning, and the mapper ships with the standard client setup. Add the mapper manually only when you operate Keycloak yourself.
Navigate to Client Scopes
flowx-platform-authenticate. Click Client Scopes and choose flowx-platform-authenticate-dedicated. Open the Mappers tab.Add a New Mapper
Provide mapper details
- Mapper Type: Select User Attribute.
- Name: Enter a descriptive name, such as โDesigner User Mapperโ.
- User Attribute: Enter
designerUser. - Token Claim Name: Enter
attributes.designerUser. - Add to access token: Toggle ON.
- Add to token introspection: Toggle ON (recommended).
- Multivalued: Toggle OFF.
- Claim JSON Type: Select boolean.
External IDP federation mapper
This mapper reads the source IDPโs group claim and writes the value into the FlowX-sideflowxIdPGroups user attribute. The Runtime groups attribute mapper above then promotes that user attribute onto the FlowX access token as attributes.runtimeGroups.
Open the federated IDP entry
Add a New Mapper
oidc-user-attribute-idp-mapper; some versions label it OpenID Connect Attribute to User Attribute).Provide mapper details
- Name: Enter a descriptive name, such as โSource groups to flowxIdPGroupsโ.
- Sync Mode Override: Select Force so subsequent logins re-import the value and pick up source-side group changes.
- Claim: Enter the name of the source IDP claim that carries the userโs group memberships. The exact name depends on the source IDP โ for example, FlowX-to-FlowX federation typically uses
groupsList; Entra ID typically uses thegroupsclaim or a custom extension; AD FS uses whatever the source-side claim emitter is configured to send. - User Attribute: Enter
flowxIdPGroups.
businessFilter user attribute. The User attribute mapper section above then exposes it on the token as attributes.businessFilters.Source IDP claim emission
The Attribute Importer mapper above reads a single claim from the source IDPโs token and writes it intoflowxIdPGroups. The customerโs IDP is responsible for producing that claim. The contract is:
- Claim name: customer-choice. The Attribute Importerโs Claim field absorbs the difference โ pick whatever the source IDP already emits (
groups,memberOf,roles, a vendor-specific path). - Claim type: multivalued string. Each value is a group identifier that must match an end-user group name in FlowX.
- Token destinations: the source IDP must add the claim to the access token (Keycloakโs broker reads it from there). Adding it to the ID token and userinfo as well is harmless and recommended.
groups array and others have a single-value role attribute โ they can configure two protocol mappers on the source IDP, both targeting the same outgoing claim name with Aggregate attribute values toggled ON. Keycloak unions the values into one array before emitting the claim. The same trick works for business filters.
User realm role mapper
To add a roles mapper to the{your-client-name}-authenticate client, so roles will be available in the OAuth user info response, follow these steps:
Navigate to Client Scopes
{your-client-name}-authenticate-dedicated to open its settings.Ensure the Mappers tab is selected.Add a New Mapper

Provide mapper details
- Name: Enter a descriptive name for the mapper, such as โRoles Mapperโ.
- Mapper Type: Select User Realm Role.
- Token Claim Name: Enter
roles. - Add to ID Token: Toggle OFF.
- Add to access token: Toggle OFF.
- Add to token introspection: Toggle ON.

ROLE_ADMIN_MANAGE_*, ROLE_TASK_MANAGER_*, or ROLE_CMS_*, sometimes already assigned to users. FlowX services assign no built-in meaning to these roles โ Designer and platform access is governed by workspace and organization roles plus permissions (see the roles & permissions matrix). Realm roles are only evaluated where your own configuration references them, such as swimlane access rules or business filters. Realms provisioned by current FlowX versions no longer include these legacy roles.Creating a basic client scope
To ensure consistent token configuration across all clients, you should create a default client scope named โbasicโ with predefined mappers.Navigate to Client Scopes
Configure client scope settings
- Name: Enter
basic. - Type: Select Default.
- Protocol: Select OpenID Connect.
- Display on consent screen: Toggle OFF.
- Include in token scope: Toggle ON.
Add predefined mappers
-
sub mapper:
- Click Add mapper โ From predefined mappers
- Select sub
- Click Add
-
auth_time mapper:
- Click Add mapper โ From predefined mappers
- Select auth_time
- Click Add
Assign to All Clients
- Navigate to Clients in the left menu
- For each client (e.g.,
flowx-platform-authenticateand all service accounts):- Open the client settings
- Go to the Client Scopes tab
- Click Add client scope
- Select basic from the list
- Choose Default as the assignment type
- Click Add
Examples
Login
To request a login token:Refresh token
To refresh an existing token:User info
To retrieve user information:Adding service accounts
Realm architecture
FlowX uses three Keycloak realms that separate Keycloak administration, user authentication, and service-to-service communication:- User-facing clients (
flowx-platform-authenticate) go in the user realm - All service account clients (
flowx-*-sa) go in the service accounts realm - No FlowX clients are created in the master realm โ it only holds Keycloakโs built-in
admin-cli
SECURITY_KEYCLOAKADMINENABLED (default true). Configure the following properties on the authorization-system service only:
Admin service account
The admin service account is used by the admin microservice to connect with Keycloak, enabling user and group management features within the FlowX.AI Designer. Steps to add an Admin service account:Create the Client

Configure capability config
- Enable Client authentication (access type).
- Disable Standard flow.
- Disable Direct access grants.
- Enable Service accounts roles.

Configure additional settings
- Backchannel Logout Session Required: Toggle OFF.
- Front Channel Logout: Toggle OFF.

Configure service account roles

Task Management service account
The task management service account facilitates process initiation and enables the use of the task management plugin (requiring theFLOWX_ROLE and role mapper).
Create the Service Account
Add a realm roles mapper
{your-client-name}-service-account to open its settings.
Configure the mapper
realm-roles.Token Claim Name: Set it to roles.Disable Add to ID token.

Add the service account realm role
FLOWX_ROLE service account realm role (used to grant permissions for starting processes).FLOWX_ROLE realm role is used to grant permissions for starting processes in the FlowX.AI Designer platform.Process engine service account
The process engine requires a service account for service-to-service authentication and authorization.Create the Client
Configure service account roles
SA_FLOWX realm role.Add a realm roles mapper
{your-client-name}-service-account to open its settings.Ensure the Mappers tab is selected within the dedicated client scope.Click Add mapper. From the list of available mappers, select User Realm Role.Configure the mapper:- Name: Enter
realm-roles - Token Claim Name: Set it to
roles - Add to ID token: Toggle OFF
- Add to token introspection: Toggle ON

Scheduler service account
Create the Client
Configure service account roles
SA_FLOWX realm role.Add a realm roles mapper
{your-client-name}-service-account to open its settings.Ensure the Mappers tab is selected within the dedicated client scope.Click Add mapper. From the list of available mappers, select User Realm Role.Configure the mapper:- Name: Enter
realm-roles - Token Claim Name: Set it to
roles - Add to ID token: Toggle OFF
- Add to token introspection: Toggle ON

Integration Designer service account
The Integration Designer service account is used by the integration designer microservice to interact securely with Keycloak, enabling it to manage various integrations within the FlowX.AI platform. Steps to set up an Integration Designer service account:Create the Client
- In Keycloak, navigate to Clients and select Create client.
- Enter a Client ID for your new client (e.g.,
flowx-integration-designer-sa).

Configure client capabilities
- Enable Client authentication under access type.
- Enable Service accounts roles to allow the account to manage integrations.

Save the Client Configuration
- Skip the Login settings page.
- Click Save to apply the configuration.
Assign service account client roles
Authorization System service account
The Authorization System service account is used for managing user authentication and authorization operations, including user management, realm configuration, and access control within the FlowX.AI platform. Steps to set up an Authorization System service account:Create the Client
flowx-authorization-system-sa).Configure capability config
- Enable Client authentication (access type).
- Disable Standard flow.
- Disable Direct access grants.
- Enable Service accounts roles.
Configure additional settings
- Backchannel Logout Session Required: Toggle OFF.
- Front Channel Logout: Toggle OFF.
Assign service account client roles
- view-users
- query-users
- manage-users
- manage-realm
Runtime manager service account
The runtime manager service account is used by both Application Manager and Runtime Manager services to connect with Keycloak and perform export/import operations for builds, application versions, or other resource-specific tasks. Steps to add a Runtime manager service account:Create the Client

Configure capability config
- Enable Client authentication (access type).
- Disable Standard flow.
- Disable Direct access grants.
- Enable Service accounts roles.

Configure additional settings
- Backchannel Logout Session Required: Toggle OFF.
- Front Channel Logout: Toggle OFF.

Configure service account roles

Organization manager service account
The organization manager service account is used by the organization manager microservice to handle organization and workspace management within the FlowX.AI platform.Create the Client
flowx-organization-manager-sa.Configure service account roles
SA_FLOWX realm role.Email gateway service account
The email gateway service account is used by the email gateway microservice to manage email sending and receiving operations within the FlowX.AI platform.Create the Client
flowx-email-gateway-sa.SA_FLOWX realm role.License service account
The license service account is used by the license microservice to manage license validation and enforcement within the FlowX.AI platform.Create the Client
flowx-license-sa.SA_FLOWX realm role.Configuring SA_FLOWX realm role
TheSA_FLOWX role is a realm-level role that should be assigned to all service accounts to ensure proper authentication and authorization across the FlowX.AI platform.
SA_FLOWX role in the service accounts realm (00000002-0002-4002-8002-000000000002), since that is where all service account clients reside.Create the SA_FLOWX Realm Role
- In the Keycloak admin console, navigate to the service accounts realm (
00000002-0002-4002-8002-000000000002). - Go to Realm roles in the left menu.
- Click Create role.
- Enter
SA_FLOWXas the Role name. - Add a description: โService account role for FlowX.AI platform servicesโ.
- Click Save.
Assign SA_FLOWX to service accounts
SA_FLOWX realm role:- flowx-process-engine-sa
- flowx-admin-sa
- flowx-runtime-manager-sa
- flowx-integration-designer-sa
- flowx-scheduler-core-sa
- flowx-authorization-system-sa
- flowx-task-management-plugin-sa
- flowx-organization-manager-sa
- flowx-email-gateway-sa
- flowx-license-sa
- flowx-webhook-gateway-sa
- flowx-file-gateway-sa
- flowx-ai-gateway-sa
- Navigate to Clients and select the service account client.
- Go to the Service accounts roles tab.
- Click Assign role.
- In the Filter field, select Filter by realm roles.
- Find and select SA_FLOWX from the list.
- Click Assign.

Verify role assignment
SA_FLOWX role listed in its Service accounts roles tab.SA_FLOWX role ensures consistent authentication and authorization behavior across all FlowX.AI platform services. Make sure all service accounts have this role assigned for proper system operation.Email (SMTP) configuration
Navigate to email settings
Configure SMTP connection details
Test the connection
Manual Keycloak configuration
If FlowX services do not have Keycloak admin access, perform the following steps manually in the Keycloak Admin Console:Create the service accounts realm
- Log in to the Keycloak Admin Console.
- Click Create realm.
- Set the Realm name to
00000002-0002-4002-8002-000000000002. - Set the Display name to
Flowx Administration Realm. - Click Create.
- Login tab: Enable Email as username and Login with email
- Authentication โ Policies โ Password Policy: Add uppercase, digit, special character, and minimum length (8) rules
Move service account clients to the SA realm

- In the SA realm, go to Clients โ Create client.
- Enter the Client ID (e.g.,
flowx-admin-sa). - Enable Client authentication and Service accounts roles. Disable Standard flow and Direct access grants.
- Configure Logout Settings: Toggle OFF both Backchannel Logout and Front Channel Logout.
- Assign the
SA_FLOWXrealm role (create it first in the SA realm if it does not exist).
Create the anonymous service account
flowx-anonymous-sa client is used by FlowX backend services for inter-service calls on anonymous (unauthenticated) runtime flows (see the full list of consuming services in the v5.9 deployment guidelines). It is intentionally scoped to a separate, lower-privilege realm role so a leaked token cannot exercise authenticated paths.- In the SA realm, create a new realm role named
SA_FLOWX_ANONYMOUS. Do not reuseSA_FLOWX. - Go to Clients โ Create client.
- Enter the Client ID
flowx-anonymous-sa. - Enable Client authentication and Service accounts roles. Disable Standard flow and Direct access grants.
- Configure Logout Settings: Toggle OFF both Backchannel Logout and Front Channel Logout.
- Assign only the
SA_FLOWX_ANONYMOUSrealm role to this clientโs service account. Do not assignSA_FLOWX.
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_ANONYMOUSIDENTITY_CLIENTSECRET. The same secret must be set on all of them. See Anonymous service account: shared client secret in the v5.9 deployment guidelines for the full list of services and the matching Liquibase parameter.Configure the org_id protocol mapper
flowx-platform-authenticate client has a protocol mapper that adds the org_id claim to access tokens:- Go to Clients โ
flowx-platform-authenticateโ Client scopes โ dedicated scope. - Add mapper โ By configuration โ Hardcoded claim.
- Set Name to
org_id, Token Claim Name toorg_id, Claim value to the organization ID provided by FlowX (which is also the user realm name), and Claim JSON Type toString. - Enable Add to access token and Add to token introspection.
Remove service accounts from user realm
flowx-platform-authenticate) in the user realm.Troubleshooting
Bad request error when creating users in FlowX Designer
Bad request error when creating users in FlowX Designer
Realm name conflict
Realm name conflict
Service account authentication fails
Service account authentication fails
- The service account client has Client authentication enabled and Service accounts roles toggled ON.
- The
SA_FLOWXrealm role is assigned to the service account. - The client secret in your deployment matches the secret in Keycloak (Clients โ select client โ Credentials tab).
security.oauth2.sa-realmis set to00000002-0002-4002-8002-000000000002and the service account client exists in the SA realm (not the user realm).
Token missing groups, roles, or business filters
Token missing groups, roles, or business filters
- Group Membership mapper with Add to token introspection toggled ON.
- User Realm Role mapper with Add to token introspection toggled ON.
- User Attribute mapper for business filters with Multivalued and Aggregate attribute values toggled ON.
- The
org_idprotocol mapper is configured on theflowx-platform-authenticateclient in the user realm.
JWT validation fails
JWT validation fails
- Verify
security.typeis set tojwt-public-key. - Ensure
security.oauth2.sa-realmis set to00000002-0002-4002-8002-000000000002. - Verify that
flowx.lib.security.services.organization-manager.base-urlis set and the organization-manager service is reachable.
Summary
By following these steps, you have a minimal Keycloak setup to manage users, roles, and apps efficiently. Your Keycloak setup should include:- A user realm (named with the organization ID provided by FlowX) containing the
flowx-platform-authenticateclient, protocol mappers, users, roles, and groups - A service accounts realm (
00000002-0002-4002-8002-000000000002) containing allflowx-*-saservice account clients with theSA_FLOWXrealm role - SMTP configured in the user realm for password reset and user invitations (required for self-hosted deployments)
- JWT public key validation (
security.type: jwt-public-key) on all services - Master realm credentials configured on the authorization-system service

