Keycloak Client Creation

This guide contains instructions for creating and configuring an OIDC client on Keycloak.

Procedure

The steps to create a Keycloak client are given below.

1. Log into Keycloak on the OpenG2P cluster.

2. Select the Clients from the left menu and click Create Client to create the required client.

3. Follow the below general settings while creating a client.

   • Client type**:** OpenID Connect

   • Client ID**:** <any client Id> For example, openg2p-sr-odk-prod

   • Name: <any name> For example, Social Registry ODK Prod

   • Always display in UI: On

   • Client authentication: On

   • Authentication flow: Select the Standard flow and Service accounts roles

   • Valid redirect URIs: *

4. Save the changes and click the Credentials tab above. You must note down the client ID and secret to add while installing the OpenG2P modules.

5. Click the Client Scopes tab.

6. Select the client that you created in the Client Scopes.

7. Select the From Predefined Mappers from the Add Mapper drop-down.

8. In the Add Predefined Mapper screen, select to show all mappers on the same page. Check all the mappers below the Name column, and click the Add button.

9. Search and remove the "Audience Resolve" mapper from the added mappers list. Click on Add Mapper -> By configuration and select the Audience mapper in the Configure new mapper page. Configure the audience mapper with the following details.

   • Client ID: select your Client ID from the drop-down

   • Add to Access Token: ON .

   • Add to ID token: ON .

10. After adding predefined mappers, search for "client" in the filter, select Client Roles mapper, update, and save the below changes.

    • Client ID: select your Client ID from the drop-down

    • Token Claim Name: client_roles

    • Add to ID token: ON

    • Add to userinfo: ON

11. After the successful creation of the client, you can use this client for the OpenG2P module installation from the Rancher UI.