Keycloak (18.0.2)
Intro
Since the IDP Kit is compliant with the well adopted OpenID Connect standard for identity provision, it can be easily integrated, as a federated identity provider on Keycloak.
Assuming that you already have a local instance of Keycloak running, we will continue with the configuration of our federated identity provider. In case you need to setup Keycloak first, please have a look at their documentation on how to get started.
Configuration
To start with the configuration, we log in to the KeyCloak administration console with our admin credentials and navigate to the realm, for which we want to apply the configuration.
New external Identity Provider
In the admin console, we navigate to the Identity Providers section in the left menu bar and open the "Add provider..." drop-down menu and choose "OpenID Connect v1.0":
2. We fill out Alias and Display Name according to how we want the IDP Kit to be referred to in the Login UI
3. We scroll down to Import External IDP Config and enter the URL of the well-known OIDC discovery document of the IDP Kit and click import. For our IDP Kit which is running locally, this would be:
http://localhost:8080/api/oidc/.well-known/openid-configuration
We need to make sure IDP Kit is running, as Keycloak will import all the information it needs from that endpoint as soon as we press "Import".
4. Now we scroll down to Client Authentication and choose Client secret sent as basic auth as input field value. Then we provide Client ID and Client Secret which we got during the client registration step.
5. To make sure the IDP-Kit uses our NFT config settings during authentication, we need to provide openid nft_token
as the value for Default Scopes and set Prompt to None
6. Now we can create the provider.
Check Redirect URI
Now that we've finished the setup of our Identity provider in Keycloak, we must make sure that the client we registered with the IDP-Kit has the correct redirect URL. The redirect URL should match the value found at Redirect URI in our just created Identity Provider.
Updating IDP-Kit client
In case the redirect URL registered with our IDP-Kit client does not match, we need to make a change.
To update an existing client, we can use the clients register
command provided under the OIDC scope of the CLI tool and add the -u
flag to note that we want to change a client with the specified id.
Parameter description
-n
- Name of the client-r
- The redirect URL which should be used in the OIDC flow-u
- The ID of the client we would like to update
After updating the client, we can now run the IDP-Kit and connect Keycloak to an application of our choice. We will be using Next.js and NextAuth.
Last updated