Keycloak Overview
Keycloak provides:- Single Sign-On (SSO) across all SGI services
- OAuth2/OpenID Connect authentication
- Role-Based Access Control (RBAC)
- User Federation (LDAP, Active Directory)
- Identity Brokering (SAML, Social Login)
Keycloak Installation
Docker Deployment (Recommended)
The SGI authentication server extends the official Keycloak image:Standalone Installation
For non-containerized deployment:Configure Database
Configure Keycloak to use PostgreSQL (recommended for production):Or use the H2 embedded database for development.
SGI Realm Configuration
Importing the SGI Realm
SGI provides a pre-configured realm with all necessary clients, roles, and settings.Import the Realm
Option 1: Admin Console (Recommended)
- Login to Keycloak admin console:
http://localhost:8080/auth - Hover over the realm dropdown (top-left)
- Click “Add realm”
- Select “Import” and choose
sgi-realm.json - Click “Create”
Realm Settings
The SGI realm includes these important settings:Realm identifier used in OAuth2 configuration.
Access token validity in seconds (5 minutes).
SSO session idle timeout in seconds (30 minutes).
Maximum SSO session lifespan in seconds (10 hours).
Offline session idle timeout in seconds (30 days).
Client Configuration
The SGI realm includes multiple OAuth2 clients:Frontend Client (front)
Frontend Client Configuration
Frontend Client Configuration
Client ID:
Client Protocol: openid-connect
Access Type: public
Valid Redirect URIs:
frontClient Protocol: openid-connect
Access Type: public
Valid Redirect URIs:
http://localhost:4200/*(development)https://sgi.example.com/*(production)
http://localhost:4200(development)https://sgi.example.com(production)
- Navigate to Clients →
front - Update Valid Redirect URIs for your domain
- Update Web Origins to match your frontend URL
- Save changes
Backend Service Clients
Each backend service has its own client for service-to-service authentication:CSP Service Client
CSP Service Client
Client ID:
Access Type: confidential
Service Accounts Enabled: true
Authorization Enabled: trueTo generate a new client secret:
csp-serviceAccess Type: confidential
Service Accounts Enabled: true
Authorization Enabled: trueTo generate a new client secret:
- Navigate to Clients →
csp-service - Go to Credentials tab
- Click Regenerate Secret
- Copy the new secret
- Update the secret in your service’s
application.yml:
Other Service Clients
Other Service Clients
Similar configuration for other services:
- eti-service - Ethics Committee service
- pii-service - Intellectual Property service
- cnf-service - Configuration service
- com-service - Communications service
- tp-service - Third Parties service
- usr-service - User management service
- rel-service - Relations service
- rep-service - Reports service
- prc-service - Processing service
- eer-service - External Evaluation Reports service
- Unique client secret (regenerate for production)
- Service account roles configured
- Scope mappings to access other services
Role Configuration
SGI uses role-based access control with module-specific roles.Role Naming Convention
Roles follow the pattern:[MODULE]-[PERMISSION]
Examples from the CSP (Calls, Solicitudes, Proyectos) module:
CSP-ROLE-R- Read permissionCSP-ROLE-E- Edit permissionCSP-ROLE-C- Create permissionCSP-ROLE-B- Delete (Borrar) permission
Module Roles
The SGI realm includes roles for these modules:CSP Module Roles (Calls, Applications, Projects)
CSP Module Roles (Calls, Applications, Projects)
CSP-ROLE-R- View calls, applications, and projectsCSP-ROLE-E- Edit existing recordsCSP-ROLE-C- Create new recordsCSP-ROLE-B- Delete recordsCSP-ROLS-R- View funding requestsCSP-ROLS-E- Edit funding requestsCSP-ROLS-C- Create funding requestsCSP-ROLS-B- Delete funding requests
ETI Module Roles (Ethics Committee)
ETI Module Roles (Ethics Committee)
ETI-ACT-V- View committee actsETI-ACT-E- Edit committee actsETI-EVR-V- View evaluationsETI-EVR-EVALR- Evaluate as evaluatorETI-MEM-V- View memoriesETI-MEM-E- Edit memories
PII Module Roles (Intellectual Property)
PII Module Roles (Intellectual Property)
PII-INV-V- View inventionsPII-INV-E- Edit inventionsPII-INV-C- Create inventionsPII-INV-B- Delete inventions
Administrative Roles
Administrative Roles
ADMINISTRADOR-CSP- CSP module administratorADMINISTRADOR-ETI- ETI module administratorADMINISTRADOR-PII- PII module administratorSYSADM-CSP- CSP system administratorUNIDAD-GESTION- Management unit access
Assigning Roles to Users
Navigate to User
In Keycloak admin console:
- Select the
sgirealm - Click Users in the left menu
- Find and select the user
Assign Realm Roles
- Go to Role Mappings tab
- Under Available Roles, select roles to assign
- Click Add selected
- Assigned roles appear in Assigned Roles section
User Management
Creating Users
Add New User
- Navigate to Users → Add user
- Fill in user details:
- Username (required)
- First Name
- Last Name
- Set Email Verified to ON
- Click Save
Set Password
- Go to Credentials tab
- Set password
- Set Temporary to OFF for permanent password
- Click Set Password
Configure User Attributes
SGI requires the
user_ref_id attribute:- Go to Attributes tab
- Add attribute:
- Key:
user_ref_id - Value: External user reference ID (e.g., employee ID)
- Key:
- Click Save
The
user_ref_id is used to link Keycloak users with external systems (HR, LDAP, etc.).User Federation
Connect Keycloak to LDAP or Active Directory:LDAP Configuration
LDAP Configuration
- Navigate to User Federation → Add provider → ldap
- Configure LDAP settings:
How users are edited. Use READ_ONLY for authoritative LDAP.
LDAP server type (Active Directory, Red Hat Directory Server, etc.).
LDAP connection string (e.g.,
ldap://ldap.example.com:389).Base DN for users (e.g.,
ou=users,dc=example,dc=com).Service account DN for binding to LDAP.
Password for the bind DN.
- Configure attribute mappings to match SGI requirements
- Test connection and authentication
- Synchronize users
Security Considerations
Rotating Client Secrets
Refer to the official guide in the source repository:sgi-auth/docs/keycloak-secrets-rotation.md
Generate New Secret
For each service client:
- Navigate to Clients → [client-name] → Credentials
- Click Regenerate Secret
- Copy the new secret
CVE-2020-27838 Mitigation
SGI 1.0.0 updates Keycloak to version 13.0.0 to address CVE-2020-27838, a security vulnerability in earlier Keycloak versions.Ensure you’re using Keycloak 13.0.0 or later.
Sensitive Information in Realm Export
Token Configuration
Configure JWT tokens for optimal security and performance:Access Token Settings
- Navigate to Realm Settings → Tokens
- Configure token lifespans:
How long access tokens are valid. Shorter is more secure but requires more token refreshes.
Timeout for OAuth2 authorization code flow.
How many times a refresh token can be reused (0 = single use).
Token Claims
SGI uses these custom claims:user_ref_id- External user reference IDauthorities- User roles and permissionssub- Subject (Keycloak user ID)
Troubleshooting
Realm Import Fails
Problem: Realm import fails with validation errors. Solution:Invalid Redirect URI
Problem: Login fails with “Invalid redirect URI” error. Solution: Update thefront client’s Valid Redirect URIs to match your frontend URL.
Client Secret Mismatch
Problem: Services can’t authenticate with “invalid_client” error. Solution: Verify client secret matches between Keycloak and service configuration.User Attribute Missing
Problem: JWT token missinguser_ref_id claim.
Solution:
- Add
user_ref_idattribute to user - Configure client mapper:
- Clients →
front→ Mappers → Create - Mapper Type: User Attribute
- User Attribute:
user_ref_id - Token Claim Name:
user_ref_id
- Clients →
Next Steps
- Administrator Guide - Managing users and permissions
- API Authentication - Using JWT tokens in API requests
- Authorization - Role-based access control and permissions