# Configure Keycloak Authentication Provider for User Log in This document provides instructions on how to configure Keycloak Authentication Provider in PBMS to help the end-users to utilise the Keycloak option to log into PBMS. ## Prerequisites * Create a Keycloak client for PBMS/Social Registry as given in [Keycloak Client Creation](https://docs.openg2p.org/1.3/deployment/deployment-guide/keycloak-client-creation) guide. * Install the OpenID Connect Authentication module. Note: * OAuth providers can be created from Odoo Settings (debug mode). * For configuration reference refer the [OpenID Connect Authentication](https://docs.openg2p.org/1.3/pbms/developer-zone/odoo-modules/openid-connect-authentication) documentation. ## Procedure 1. Click the main menu icon ![](https://1895884874-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FnKdOHLbjDdIln1QDNwSx%2Fuploads%2Fgit-blob-1b48611b7e3fc05b72b589735073c90404ac05ef%2Fmain-menu.png?alt=media) and select ***Settings***.
The ***Settings*** screen is displayed. 2. Select the tab ***Users & Companies***, and click the option ***OAUTH Providers***.
***Providers*** screen is displayed.
3. Click the ***New*** button. ***Providers New*** screen is displayed.
4. Enter the values in the respective fields. For example, the fields, their descriptions, and sample values are given below.
FeatureDescriptionValue
Provider nameEnter the provider name.For example: Keycloak for PBMS Login
Auth FlowSelect the option OpenID Connect Authorization Code Flow from the drop-down.
Token MapYou can find a default value. In the default value change groups:groups to client_roles:groups .
Client ID

The ID of the Keycloak client.

To learn more refer to Keycloak Client Creation.

Client Authentication MethodSelect the option Client Secret (Post) from the drop-down.
Client SecretThe Client Secret of the Keycloak client. To learn more, refer to Keycloak Client Creation.
AllowedCheck the box to enable the option Allowed.
Allowed in Self Service PortalUncheck the box.
Allowed in Service Provider PortalUncheck the box.
Login button labelEnter the label name for the Keycloak Login button.

For example: Login with Keycloak.

Note: This text with the button name will appear on login page.

Image Icon URLEnter the URL of an image for the Keycloak Login button.
Authorization URL, Userinfo URL, Token Endpoint, JWKS URL

These are to be configured as available in the well-known config of Keycloak.

Note:

Keycloak OIDC well-known configuration can be found in Keycloak Admin Console -> Realm Settings -> (Bottom of Page) Endpoints -> OIDC Endpoint Configuration)

Verify Access Token HashCheck the box to enable the option Verify Access Token.
Allow SignupSelect the option Allows user signup from the drop-down.
Signup Default GroupsSelect the option User types/Portal from the drop-down.
Sync User GroupsSelect the option On every Login from the drop-down.
Note: The rest of the fields have the default values. 5. Click the icon ![](https://1895884874-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FnKdOHLbjDdIln1QDNwSx%2Fuploads%2Fgit-blob-0082283cd63edf1a7973f4cf04936f150b6aed9d%2Fsave-button.png?alt=media) to save the changes. If you have configured the ***Keycloak Authentication Provider*** successfully, you can find the ***Log in Keycloak*** button in the PBMS log in page. Before log in using the option Keycloak in PBMS, ensure the following: * Create client roles on Keycloak application for the client. The client roles can be * Administrator/Settings. * OpenG2P Module Access/Administrator. * OpenG2P Module Access/Registrar.
This completes the configuration of ***Keycloak Authentication Provider*** in PBMS for user log in.