Integrate Keycloak and Create OpenID Connect Client
Table of Contents
Introduction
In this article, we will explore the process of adding an OpenID Connect client to Keycloak. We will cover all the necessary steps and configurations required to successfully set up and authenticate with the client. By following these instructions, you will have a better understanding of how to integrate OpenID Connect clients in Keycloak.
Creating an OpenID Connect Client in Keycloak
To begin, we need to access the Keycloak administration console and navigate to our realm. From there, we can choose the "Clients" option and click on "Create" to create a new client. It is important to give the client a meaningful ID and ensure that the client protocol is set to OpenID Connect.
Configuring the Client
Once the client is created, we can proceed to the initial settings screen for the client. Here, we will set the access type to "confidential" to enable additional features. We will disable the OAuth flows that authenticate users and enable the flow that allows service accounts, known as the client credentials grant. We should save the settings to proceed.
Setting Up Scopes and Roles
In order to issue tokens with the desired scopes, we need to configure the client scopes. We want to ensure that our tokens have the necessary scopes for the client's functionality. Additionally, we need to include a roles claim in the tokens. This can be set up in the client scopes section of the Keycloak administration console.
Using Client Credentials Grant
To authenticate using the client ID and secret, we are essentially done with the configuration. However, if we want to use signed JOT authentication, we need to provide Keycloak with our public key. This can be achieved by importing an existing public key or generating new key material.
Generating Key Material
To generate new key material, we can select the option to generate a new private key and public key. Keycloak will combine these keys into a PKCS12 archive. We can choose the PKCS12 format as it is widely supported. After providing the necessary passwords, we can save the archive to disk.
Converting Key Material
The generated PKCS12 archive contains the public key, but for specific clients like stigma watcher, we may need the private key to be in a PEM-encoded format. To extract the private key, we can use OpenSSL. By running a command against the PKCS12 archive and removing the certificates, we can obtain the encrypted private key in PEM format.
Final Steps
With the private key extracted, we can now use it to configure clients like stigma watcher for signed JOT authentication. At this point, our Keycloak setup is complete. We have created the client and generated key material necessary for authenticating with signed JOT.
Conclusion
Adding an OpenID Connect client to Keycloak involves several steps, including configuring the client, setting up scopes and roles, and generating key material. By following the instructions outlined in this article, you should now have a better understanding of how to integrate OpenID Connect clients into Keycloak.
Highlights
- Learn how to add an OpenID Connect client to Keycloak
- Configure the client with the necessary settings
- Set up scopes and roles for the client
- Use the client credentials grant for authentication
- Generate key material for signed JOT authentication
FAQ
Q: Can I use an existing public key when configuring the client?\
A: Yes, you have the option to import an existing public key into Keycloak during the configuration process.
Q: Is it possible to regenerate the client secret?\
A: Yes, the client secret can be regenerated at any time if needed. This can be done through the Keycloak administration console.
Q: Are there any specific requirements for the private key format?\
A: Some clients, like stigma watcher, may require the private key to be in a PEM-encoded format. The provided instructions in this article guide you on how to convert the private key to the required format.
Resources
