Authentication - Staff Portal

The OpenG2P Staff Portal provides a single, centralized login for staff and administrators to access all internal OpenG2P modules from one landing page after authentication.

This document defines:

Authentication architecture
Keycloak realm and client design
Token lifecycle and reuse
Single Sign-On (SSO) behavior
Role-based authorization model
End-to-end authentication flows

Key Design Principles

Single authentication, multiple modules
No repeated logins
Shared access token across modules
Strong role-based authorization
Realm isolation across portals
Portal-specific theming

Modules Accessed via Staff Portal

After login, users may access the following modules (based on roles):

Registry
PBMS
G2PBridge
SPAR
Rancher
Superset Dashboard
Keycloak Admin Console
MinIO
ODK

Identity Provider

Keycloak as IAM

Authentication and authorization are provided by Keycloak, implementing OpenID Connect (OIDC).

Realm Strategy

Each OpenG2P portal is mapped to a separate Keycloak realm.

Portal

Realm

Authentication

Staff Portal

openg2p-staff

Keycloak (username/password, MFA optional)

Agent Portal

openg2p-agent

Keycloak

Beneficiary Portal

openg2p-beneficiary

National ID / External IdP

Benefits of Realm Isolation

User and credential separation
Independent security policies
Different authentication methods
Custom UI themes per portal

Staff Portal Realm Design

Realm: openg2p-staff

Within the Staff Portal realm:

Staff Portal UI → OIDC client
Each module → OIDC client
Centralized:
- Users
- Roles
- Groups
- Policies
All clients trust the same realm.

Client Model

Client Types

Client

Type

Staff Portal UI

Public or Confidential

Registry, PBMS, etc.

Confidential

APIs

Bearer-only (recommended)

Role & Authorization Model

Role Types

Realm Roles

TBD

Client Roles (Module-specific)

Keycloak will only manage the high level roles

TBD

Authorization Enforcement

Keycloak embeds roles in the access token
Each module:
- Validates token signature
- Verifies token expiry
- Enforces its own client roles

Token Types & Responsibilities

Token

Purpose

Used By

Authorization Code

One-time login exchange

Staff Portal only

Access Token

Access protected modules

Staff Portal + Modules

ID Token

Identity information

Staff Portal

Refresh Token

Renew access token

Staff Portal only

Authorization Code Flow (OIDC)

TBD - Flow Diagram

Step-by-Step

User accesses Staff Portal URL
Staff Portal checks for valid session
If not authenticated:
- Redirects to Keycloak login
User authenticates in Keycloak
Keycloak redirects back with authorization code
Staff Portal calls token endpoint using:
- Authorization code
- Client authentication / PKCE
Keycloak returns:
- Access Token
- ID Token
- Refresh Token
User is logged in and sees Staff Portal dashboard

Module Access Flow (Single Sign-On)

Shared Access Token Model

TBD - flow diagram

Flow Details

User clicks a module from Staff Portal
Browser navigates to module URL
Module:
- Detects existing Keycloak session
- Accepts the same access token
Module validates:
- Token signature
- Token expiry
- Required client roles
User gains access without re-authentication

Example Access Token Claims

{
  "iss": "https://keycloak/realms/openg2p-staff",
  "preferred_username": "staff.user",
  "realm_access": {
    "roles": ["staff_user"]
  },
  "resource_access": {
    "registry": {
      "roles": ["registry_view", "registry_edit"]
    },
    "pbms": {
      "roles": ["pbms_admin"]
    }
  }
}

Each module checks only its own roles.

Logout Flow (Single Logout)

User logs out from Staff Portal
Staff Portal calls Keycloak logout endpoint
Keycloak invalidates session
All module sessions become invalid

Theming Strategy

Each realm has its own Keycloak theme
Applied to:
- Login pages
- Error pages
- Account console
Realm
Theme
Staff Portal
Admin / Enterprise theme
Agent Portal
Operational theme
Beneficiary Portal
Citizen-friendly theme

High-Level Architecture Diagram

TBD

PreviousStaff Portal NextConsent Management

Last updated 32 minutes ago

Was this helpful?

hashtagKey Design Principles

hashtagModules Accessed via Staff Portal

hashtagIdentity Provider

hashtagKeycloak as IAM

hashtagRealm Strategy

hashtagBenefits of Realm Isolation

hashtagStaff Portal Realm Design

hashtagRealm: openg2p-staff

hashtagClient Model

hashtagClient Types

hashtagRole & Authorization Model

hashtagRole Types

hashtagAuthorization Enforcement

hashtagToken Types & Responsibilities

hashtagAuthentication Flow – Staff Portal Login

hashtagAuthorization Code Flow (OIDC)

hashtagStep-by-Step

hashtagModule Access Flow (Single Sign-On)

hashtagShared Access Token Model

hashtagFlow Details

hashtagExample Access Token Claims

hashtagLogout Flow (Single Logout)

hashtagTheming Strategy

hashtagHigh-Level Architecture Diagram