> For the complete documentation index, see [llms.txt](https://docs.openg2p.org/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.openg2p.org/products/pbms/previous-generation/functionality/administration/role-based-access-control/user-guides/configure-keycloak-authentication-provider-for-user-log-in.md). # Configure Keycloak Authentication Provider for User Log in This document provides instructions on how to configure Keycloak Authentication Provider in PBMS to help the end-users to utilise the Keycloak option to log into PBMS. ## Prerequisites * Create a Keycloak client for PBMS/Social Registry as given in [Keycloak Client Creation](/operations/deployment/deployment-guide/keycloak/keycloak-client-creation.md) guide. * Install the OpenID Connect Authentication module. Note: * OAuth providers can be created from Odoo Settings (debug mode). * For configuration reference refer the [OpenID Connect Authentication](/products/pbms/previous-generation/developer-zone/odoo-modules/openid-connect-authentication.md) documentation. ## Procedure 1. Click the main menu icon ![](/files/xKhS7qdJDqpzfMgT2JTm) and select ***Settings***.
The ***Settings*** screen is displayed. 2. Select the tab ***Users & Companies***, and click the option ***OAUTH Providers***.
***Providers*** screen is displayed.
3. Click the ***New*** button. ***Providers New*** screen is displayed.
4. Enter the values in the respective fields. For example, the fields, their descriptions, and sample values are given below.
FeatureDescriptionValue
Provider nameEnter the provider name.For example: Keycloak for PBMS Login
Auth FlowSelect the option OpenID Connect Authorization Code Flow from the drop-down.
Token MapYou can find a default value. In the default value change sub:user_id to email:user_id and groups:groups to client_roles:groups .
Client ID

The ID of the Keycloak client.

To learn more refer to Keycloak Client Creation.

Client Authentication MethodSelect the option Client Secret (Post) from the drop-down.
Client SecretThe Client Secret of the Keycloak client. To learn more, refer to Keycloak Client Creation.
AllowedCheck the box to enable the option Allowed.
Allowed in Self Service PortalUncheck the box.
Allowed in Service Provider PortalUncheck the box.
Login button labelEnter the label name for the Keycloak Login button.

For example: Login with Keycloak.

Note: This text with the button name will appear on login page.

Image Icon URLEnter the URL of an image for the Keycloak Login button.
Authorization URL, Userinfo URL, Token Endpoint, JWKS URL

These are to be configured as available in the well-known config of Keycloak.

Note:

Keycloak OIDC well-known configuration can be found in Keycloak Admin Console -> Realm Settings -> (Bottom of Page) Endpoints -> OIDC Endpoint Configuration)

Verify Access Token HashCheck the box to enable the option Verify Access Token.
Allow SignupSelect the option Allows user signup from the drop-down.
Signup Default GroupsSelect the option User types/Portal from the drop-down.
Sync User GroupsSelect the option On every Login from the drop-down.
Note: The rest of the fields have the default values. 5. Click the icon ![](/files/jp22FByGxi9zE0ne6Dng) to save the changes. If you have configured the ***Keycloak Authentication Provider*** successfully, you can find the ***Log in Keycloak*** button in the PBMS log in page. Before log in using the option Keycloak in PBMS, ensure the following: * Create client roles on Keycloak application for the client. The client roles can be * Administrator/Settings. * OpenG2P Module Access/Administrator. * OpenG2P Module Access/Registrar.
This completes the configuration of ***Keycloak Authentication Provider*** in PBMS for user log in. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.openg2p.org/products/pbms/previous-generation/functionality/administration/role-based-access-control/user-guides/configure-keycloak-authentication-provider-for-user-log-in.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.