Version: 3.0

5.2 Keycloak

Keycloak provides comprehensive identity and access management for the entire Data Context Hub ecosystem. To access data or use endpoints within the system, users must obtain an access token with the appropriate roles.

Key Concepts

Keycloak organizes access control through several fundamental components:

Realm: A secure and isolated environment where all authentication objects (users, roles, groups, etc.) are managed. Users authenticate within a specific realm, and access tokens are only valid within their issuing realm.
Role: Permissions that define specific actions a user can perform within the system.
User: Individual accounts that interact with the system. Users can be directly assigned roles or inherit them through group membership.
Client: Applications or services that interact with Keycloak. Clients request authentication and authorization on behalf of users or themselves.
Group: Collections of users that share common role mappings and attributes. Groups can be arranged hierarchically for more complex access management scenarios.

Data Context Hub Roles

Data Context Hub automatically creates the following standard roles to establish a consistent access control system:

dch-admin: Full system access with complete administrative privileges. Users with this role can view, modify, and execute all operations within the system.
dch-modify: Extended access that allows users to view, modify, and execute most operations, except those requiring administrative privileges.
dch-execute: Basic access that allows users to view and execute operations without modification capabilities.

Client Configuration for Applications

When integrating applications with Data Context Hub endpoints, each application requires its own dedicated client configuration in Keycloak. Follow these steps to create and configure a client using Keycloak's Admin Console:

Log into the Admin Console and select the appropriate realm for your application.
Navigate to the "Clients" section in the menu and click the "Create client" button.
Provide a unique "Client ID" that identifies your application.
Enable "Client authentication" and select only the "Service accounts roles" option, which activates the "Client Credentials Grant" flow. For security reasons, it's recommended to disable all other authentication flows.

When you select "Service accounts roles," Keycloak automatically creates a service account with the username service-account-<clientId> linked to your client. Since roles cannot be directly assigned to clients, you must assign the required roles to this service account instead.

Obtaining Access Tokens

To authenticate service-to-service communications, you can obtain an access token using the client_credentials grant type. This method allows your application to request an access token directly, without user interaction.

curl --request POST '{{keycloakUrl}}/realms/{{realm}}/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={{clientId}}' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_secret={{clientSecret}}'

Replace the placeholder values with your specific configuration:

{{keycloakUrl}} - The base URL of your Keycloak server
{{realm}} - The name of your Keycloak realm
{{clientId}} - Your application's client ID
{{clientSecret}} - The client secret generated for your application

User Integration

Keycloak provides flexible options for integrating external user directories and authentication systems with Data Context Hub. This integration can be accomplished through two primary methods:

User Federation

User Federation allows Keycloak to use external user stores as the source of user information. This approach is ideal when you want to maintain user credentials in your existing systems while leveraging Keycloak's authorization capabilities.

Built-in federation providers include:

LDAP: Connect to directory services like Active Directory or OpenLDAP
Kerberos: Integrate with Kerberos authentication systems

Identity Providers

Identity Providers enable users to authenticate through external identity systems. This approach is suitable when you want to allow users to log in using their existing accounts from other services.

Keycloak supports numerous identity providers out-of-the-box:

Social Providers: Google, Facebook, GitHub, Twitter, and others
Enterprise Standards: SAML 2.0 and OpenID Connect 1.0

Custom Extensions

For specialized integration requirements, Keycloak supports the development of custom extensions. These extensions can connect to proprietary or legacy authentication systems not covered by the built-in providers.

tip

When planning user integration, consider which approach best aligns with your existing infrastructure and security requirements. User Federation maintains user data in external systems, while Identity Providers focus on authentication delegation.

Key Concepts​

Data Context Hub Roles​

Client Configuration for Applications​

Obtaining Access Tokens​

User Integration​

User Federation​

Identity Providers​

Custom Extensions​