# Keycloak Client Creation For logging into various services of our modules, we use Keycloak as the OIDC auth provider. All users are configured on Keycloak. We also need to configure "clients" on Keycloak for apps to connect to Keycloak. This guide provides the manual and automated mechanims to create a client with appropriate settings for our use. ## Manual procedure The steps to create a Keycloak client are given below. 1. Log into Keycloak on the OpenG2P cluster. 2. Select a realm. If the realm does not exist, create one. 3. Select the ***Clients*** from the left menu and click ***Create Client*** to create the required client. 4. Follow the below general settings while creating a client. * Client type**:** `OpenID Connect` * Client ID**:** `` For example, openg2p-sr-odk-prod * Name: `` For example, Social Registry ODK Prod * Always display in UI: `On` * Client authentication: `On` * Authentication flow: Select the `Standard flow` and `Service accounts roles` * Valid redirect URIs: `*` 5. Save the changes and click the ***Credentials*** tab above. You must note down the client ID and secret to add while installing the OpenG2P modules. 6. Click the ***Client Scopes*** tab. 7. Select the client that you created in the ***Client Scopes**.* 8. Select the ***From Predefined Mappers*** from the ***Add Mapper*** drop-down. 9. In the ***Add Predefined Mapper*** screen, select to show all mappers on the same page. Check all the mappers below the ***Name*** column, and click the ***Add*** button. 10. Search and remove the "Audience Resolve" mapper from the added mappers list. Click on **Add Mapper** -> **By configuration** and select the **Audience** mapper in the **Configure new mapper** page. Configure the audience mapper with the following details. * Client ID: `select your Client ID from the drop-down` * Add to Access Token: `ON` . * Add to ID token: `ON` . 11. After adding predefined mappers, search for "client" in the filter, select ***Client Roles** mapper,* update, and save the below changes. * Client ID: `select your Client ID from the drop-down` * Token Claim Name: `client_roles` * Add to ID token: `ON` * Add to userinfo: `ON` 12. Go one step back. Navigate to Client details -> Client Scopes. Remove "roles" scope. 13. After the successful creation of the client, you can use this client for the OpenG2P module installation from the Rancher UI. ## Automated Refer to [Keycloak Init Automation ](/operations/deployment/deployment-guide/keycloak/keycloak-init-automation.md)for details on Helm chart to create all the clients. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.openg2p.org/operations/deployment/deployment-guide/keycloak/keycloak-client-creation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.