Skip to main content
Version: 1.3.2

OAuth2 / Keycloak

The jadice flow controller can use keycloak to enable OAuth2 authentication. The usage is recommended.

With active keycloak, all requests need to authenticate via keycloak. Multiple adapters can be configured in the keycloak server to allow federal / active directory integration, social logins or manual user control.

It can be enabled via the application.yaml. See the appropriate following chapters for more details.

Keycloak server / realm configuration

Jadice flow requires a realm in the keycloak server. In this realm, client applications can be configured.

Flow utilizes the following clients:

  • jadice-flow-controller: Bearer only - all requests must already provide a valid token
  • jadice-flow-ui: Public client - if the session is not authenticated, the user will be redirected to the keycloak login before accessing the UI.
  • jadice-flow-sa the service account for other external service components which shall interact with the jadice-flow-controller. It is set to the confidential client - mode. In this mode, a secret is generated and can be used by the application to retrieve a token via API when authenticating. It is possible to create multiple service accounts (for each source scanner, external service, etc). The UI also uses a service account for non-user triggered status queries.

Keycloak configuration controller

Example snippet for the controller:

# Keycloak
keycloak:
  enabled: true
  auth-server-url: https://myAuthServer/auth
  realm: jadice-flow
  resource: jadice-flow-controller
  public-client: false

This requires incoming requests to contain the appropriate token in the header.

Keycloak configuration UI

Example snippet for the controller UI:

# Keycloak
keycloak:
  enabled: true
  auth-server-url: ${jadice-flow.keycloakBaseURL}/auth
  realm: jadice-flow
  resource: jadice-flow-ui
  public-client: true
OAuth2Config:
  enabled: ${keycloak.enabled}
  resourceName: jadice-flow-sa
  token-url: ${jadice-flow.keycloakBaseURL}/auth/realms/${keycloak.realm}/protocol/openid-connect/token
  auth-grant-type: client_credentials
  client-secret: abcdefg

This allows users to log in using the keycloak login page which will redirect to the UI.

Keycloak configuration service account

Example snippet for a service account:

# Keycloak
keycloak:
  enabled: true
  auth-server-url: ${jadice-flow.keycloakBaseURL}/auth
  realm: jadice-flow
  resource: jadice-flow-sa
  public-client: false
OAuth2Config:
  enabled: ${keycloak.enabled}
  resourceName: ${keycloak.resource}
  token-url: ${jadice-flow.keycloakBaseURL}/auth/realms/${keycloak.realm}/protocol/openid-connect/token
  auth-grant-type: client_credentials
  client-secret: abcdefg

This enables service accounts like source scanners or external services to use the provided client-secret to authenticate.

Last updated on by Natalie Henrich