oauth2-proxy/docs/next/configuration/providers/keycloak_oidc/index.html

<!doctype html>
<html lang="en" dir="ltr" class="docs-wrapper docs-doc-page docs-version-current plugin-docs plugin-id-default docs-doc-id-configuration/providers/keycloak_oidc" data-has-hydrated="false">
<head>
<meta charset="UTF-8">
<meta name="generator" content="Docusaurus v2.4.3">
<title data-rh="true">Keycloak OIDC | OAuth2 Proxy</title><meta data-rh="true" name="viewport" content="width=device-width,initial-scale=1"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="Keycloak OIDC | OAuth2 Proxy"><meta data-rh="true" name="description" content="Keycloak has updated its admin console and as of version 19.0.0, the new admin console is enabled by default. The"><meta data-rh="true" property="og:description" content="Keycloak has updated its admin console and as of version 19.0.0, the new admin console is enabled by default. The"><link data-rh="true" rel="icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-rh="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc"><link data-rh="true" rel="alternate" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc" hreflang="en"><link data-rh="true" rel="alternate" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc" hreflang="x-default"><link rel="stylesheet" href="/oauth2-proxy/assets/css/styles.4014daec.css">
<link rel="preload" href="/oauth2-proxy/assets/js/runtime~main.ba6c664f.js" as="script">
<link rel="preload" href="/oauth2-proxy/assets/js/main.2082d8ea.js" as="script">
</head>
<body class="navigation-with-keyboard">
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=new URLSearchParams(window.location.search).get("docusaurus-theme")}catch(t){}return t}()||function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<div role="region" aria-label="Skip to main content"><a class="skipToContent_fXgn" href="#__docusaurus_skipToContent_fallback">Skip to main content</a></div><nav aria-label="Main" class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/oauth2-proxy/"><div class="navbar__logo"><img src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy" class="themedImage_ToTc themedImage--light_HNdA"><img src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy" class="themedImage_ToTc themedImage--dark_i4oU"></div><b class="navbar__title text--truncate">OAuth2 Proxy</b></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__link" aria-haspopup="true" aria-expanded="false" role="button" href="/oauth2-proxy/docs/next/">Next</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/">7.5.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.4.x/">7.4.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.3.x/">7.3.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.2.x/">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a><div class="toggle_vylO colorModeToggle_DEke"><button class="clean-btn toggleButton_gllP toggleButtonDisabled_aARS" type="button" disabled="" title="Switch between dark and light mode (currently light mode)" aria-label="Switch between dark and light mode (currently light mode)" aria-live="polite"><svg viewBox="0 0 24 24" width="24" height="24" class="lightToggleIcon_pyhR"><path fill="currentColor" d="M12,9c1.65,0,3,1.35,3,3s-1.35,3-3,3s-3-1.35-3-3S10.35,9,12,9 M12,7c-2.76,0-5,2.24-5,5s2.24,5,5,5s5-2.24,5-5 S14.76,7,12,7L12,7z M2,13l2,0c0.55,0,1-0.45,1-1s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S1.45,13,2,13z M20,13l2,0c0.55,0,1-0.45,1-1 s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S19.45,13,20,13z M11,2v2c0,0.55,0.45,1,1,1s1-0.45,1-1V2c0-0.55-0.45-1-1-1S11,1.45,11,2z M11,20v2c0,0.55,0.45,1,1,1s1-0.45,1-1v-2c0-0.55-0.45-1-1-1C11.45,19,11,19.45,11,20z M5.99,4.58c-0.39-0.39-1.03-0.39-1.41,0 c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0s0.39-1.03,0-1.41L5.99,4.58z M18.36,16.95 c-0.39-0.39-1.03-0.39-1.41,0c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0c0.39-0.39,0.39-1.03,0-1.41 L18.36,16.95z M19.42,5.99c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06c-0.39,0.39-0.39,1.03,0,1.41 s1.03,0.39,1.41,0L19.42,5.99z M7.05,18.36c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06 c-0.39,0.39-0.39,1.03,0,1.41s1.03,0.39,1.41,0L7.05,18.36z"></path></svg><svg viewBox="0 0 24 24" width="24" height="24" class="darkToggleIcon_wfgR"><path fill="currentColor" d="M9.37,5.51C9.19,6.15,9.1,6.82,9.1,7.5c0,4.08,3.32,7.4,7.4,7.4c0.68,0,1.35-0.09,1.99-0.27C17.45,17.19,14.93,19,12,19 c-3.
legacy admin console has been announced for removal with the release of version 21.0.0.</p></div></div><p><strong>Keycloak legacy admin console</strong></p><ol><li>Create new client in your Keycloak realm with <strong>Access Type</strong> &#x27;confidential&#x27;, <strong>Client protocol</strong>  &#x27;openid-connect&#x27;
and <strong>Valid Redirect URIs</strong> &#x27;<a href="https://internal.yourcompany.com/oauth2/callback&#x27;" target="_blank" rel="noopener noreferrer">https://internal.yourcompany.com/oauth2/callback&#x27;</a></li><li>Take note of the Secret in the credential tab of the client</li><li>Create a mapper with <strong>Mapper Type</strong> &#x27;Group Membership&#x27; and <strong>Token Claim Name</strong> &#x27;groups&#x27;.</li><li>Create a mapper with <strong>Mapper Type</strong> &#x27;Audience&#x27; and <strong>Included Client Audience</strong> and <strong>Included Custom Audience</strong> set
to your client name.</li></ol><p><strong>Keycloak new admin console (default as of v19.0.0)</strong></p><p>The following example shows how to create a simple OIDC client using the new Keycloak admin2 console. However, for best
practices, it is recommended to consult the Keycloak documentation.</p><p>The OIDC client must be configured with an <em>audience mapper</em> to include the client&#x27;s name in the <code>aud</code> claim of the JWT token.<br>
<!-- -->The <code>aud</code> claim specifies the intended recipient of the token, and OAuth2 Proxy expects a match against the values of
either <code>--client-id</code> or <code>--oidc-extra-audience</code>.</p><p><em>In Keycloak, claims are added to JWT tokens through the use of mappers at either the realm level using &quot;client scopes&quot; or
through &quot;dedicated&quot; client mappers.</em></p><p><strong>Creating the client</strong></p><ol><li>Create a new OIDC client in your Keycloak realm by navigating to:<br><strong>Clients</strong> -&gt; <strong>Create client</strong><ul><li><strong>Client Type</strong> &#x27;OpenID Connect&#x27;</li><li><strong>Client ID</strong> <code>&lt;your client&#x27;s id&gt;</code>, please complete the remaining fields as appropriate and click <strong>Next</strong>.<ul><li><strong>Client authentication</strong> &#x27;On&#x27;</li><li><strong>Authentication flow</strong><ul><li><strong>Standard flow</strong>  &#x27;selected&#x27;</li><li><strong>Direct access grants</strong> &#x27;deselect&#x27;<ul><li><em>Save the configuration.</em></li></ul></li></ul></li><li><strong>Settings / Access settings</strong>:<ul><li><strong>Valid redirect URIs</strong> <code>https://internal.yourcompany.com/oauth2/callback</code><ul><li><em>Save the configuration.</em></li></ul></li></ul></li><li>Under the <strong>Credentials</strong> tab you will now be able to locate <code>&lt;your client&#x27;s secret&gt;</code>.</li></ul></li></ul></li><li>Configure a dedicated <em>audience mapper</em> for your client by navigating to <strong>Clients</strong> -&gt; <strong>&lt;your client&#x27;s id&gt;</strong> -&gt; <strong>Client scopes</strong>.</li></ol><ul><li>Access the dedicated mappers pane by clicking <strong>&lt;your client&#x27;s id&gt;-dedicated</strong>, located under <em>Assigned client scope</em>.<br><em>(It should have a description of &quot;Dedicated scope and mappers for this client&quot;)</em><ul><li>Click <strong>Configure a new mapper</strong> and select <strong>Audience</strong><ul><li><strong>Name</strong> &#x27;aud-mapper-&lt;your client&#x27;s id&gt;&#x27;</li><li><strong>Included Client Audience</strong> select <code>&lt;your client&#x27;s id&gt;</code> from the dropdown.<ul><li><em>OAuth2 proxy can be set up to pass both the access and ID JWT tokens to your upstream services.
If you require additional audience entries, you can use the <strong>Included Custom Audience</strong> field in addition
to the &quot;Included Client Audience&quot; dropdown. Note that the &quot;aud&quot; claim of a JWT token should be limited and
only specify its intended recipients.</em></li></ul></li><li><strong>Add to ID token</strong> &#x27;On&#x27;</li><li><strong>Add to access token</strong> &#x27;On&#x27; - <a href="https://github.com/oauth2-proxy/oauth2-proxy/pull/1916" target="_blank" rel="noopener noreferrer">#1916</a><ul><li><em>Save the configuration.</em></li></ul></li></ul></li></ul></li><li>Any subsequent dedicated client mappers can be defined by clicking <strong>Dedicated scopes</strong> -&gt; <strong>Add mapper</strong> -&gt;
<strong>By configuration</strong> -&gt; <em>Select mapper</em></li></ul><p>You should now be able to create a test user in Keycloak and get access to the OAuth2 Proxy instance, make sure to set
an email address matching <code>&lt;yourcompany.com&gt;</code> and select <em>Email verified</em>.</p><p><strong>Authorization</strong></p><p><em>OAuth2 Proxy will perform authorization by requiring a valid user, this authorization can be extended to take into
account a user&#x27;s membership in Keycloak <code>groups</code>, <code>realm roles</code>, and <code>client roles</code> using the keycloak-oidc provider options<br><code>--allowed-role</code> or <code>--allowed-group</code></em></p><p><strong>Roles</strong></p><p><em>A standard Keycloak installation comes with the required mappers for <strong>realm roles</strong> and <strong>client roles</strong> through the
pre-defined client scope &quot;roles&quot;. This ensures that any roles assigned to a user are included in the <code>JWT</code> tokens when
using an OIDC client that has the &quot;Full scope allowed&quot; feature activated, the feature is enabled by default.</em></p><p><em>Creating a realm role</em></p><ul><li>Navigate to <strong>Realm roles</strong> -&gt; <strong>Create role</strong><ul><li><strong>Role name</strong>, <em><code>&lt;realm role name&gt;</code></em> -&gt; <strong>save</strong></li></ul></li></ul><p><em>Creating a client role</em></p><ul><li>Navigate to <strong>Clients</strong> -&gt; <code>&lt;your client&#x27;s id&gt;</code> -&gt; <strong>Roles</strong> -&gt; <strong>Create role</strong><ul><li><strong>Role name</strong>, <em><code>&lt;client role name&gt;</code></em> -&gt; <strong>save</strong></li></ul></li></ul><p><em>Assign a role to a user</em></p><p><strong>Users</strong> -&gt; <em>Username</em> -&gt; <strong>Role mapping</strong> -&gt; <strong>Assign role</strong> -&gt; <em>filter by roles or clients and select</em> -&gt; <strong>Assign</strong>.</p><p>Keycloak &quot;realm roles&quot; can be authorized using the <code>--allowed-role=&lt;realm role name&gt;</code> option, while &quot;client roles&quot; can be
evaluated using <code>--allowed-role=&lt;your client&#x27;s id&gt;:&lt;client role name&gt;</code>.</p><p>You may limit the <em>realm roles</em> included in the JWT tokens for any given client by navigating to:<br>
<strong>Clients</strong> -&gt; <code>&lt;your client&#x27;s id&gt;</code> -&gt; <strong>Client scopes</strong> -&gt;  <em>&lt;your client&#x27;s id&gt;-dedicated</em> -&gt; <strong>Scope</strong><br>
<!-- -->Disabling <strong>Full scope allowed</strong> activates the <strong>Assign role</strong> option, allowing you to select which roles, if assigned
to a user, will be included in the user&#x27;s JWT tokens. This can be useful when a user has many associated roles, and you
want to reduce the size and impact of the JWT token.</p><p><strong>Groups</strong></p><p>You may also do authorization on group memberships by using the OAuth2 Proxy option <code>--allowed-group</code>.<br>
<!-- -->We will only do a brief description of creating the required <em>client scope</em> <strong>groups</strong> and refer you to read the Keycloak
documentation.</p><p>To summarize, the steps required to authorize Keycloak group membership with OAuth2 Proxy are as follows:</p><ul><li>Create a new Client Scope with the name <strong>groups</strong> in Keycloak.<ul><li>Include a mapper of type <strong>Group Membership</strong>.</li><li>Set the &quot;Token Claim Name&quot; to <strong>groups</strong> or customize by matching it to the <code>--oidc-groups-claim</code> option of OAuth2 Proxy.</li><li>If the &quot;Full group path&quot; option is selected, you need to include a &quot;/&quot; separator in the group names defined in the
<code>--allowed-group</code> option of OAuth2 Proxy. Example: &quot;/groupname&quot; or &quot;/groupname/child_group&quot;.</li></ul></li></ul><p>After creating the <em>Client Scope</em> named <em>groups</em> you will need to attach it to your client.<br>
<strong>Clients</strong> -&gt; <code>&lt;your client&#x27;s id&gt;</code> -&gt; <strong>Client scopes</strong> -&gt; <strong>Add client scope</strong> -&gt; Select <strong>groups</strong> and choose Optional
and you should now have a client that maps group memberships into the JWT tokens so that Oauth2 Proxy may evaluate them.</p><p>Create a group by navigating to <strong>Groups</strong> -&gt; <strong>Create group</strong> and <em>add</em> your test user as a member.</p><p>The OAuth2 Proxy option <code>--allowed-group=/groupname</code> will now allow you to filter on group membership</p><p>Keycloak also has the option of attaching roles to groups, please refer to the Keycloak documentation for more information.</p><p><strong>Tip</strong></p><p>To check if roles or groups are added to JWT tokens, you can preview a users token in the Keycloak console by following
these steps: <strong>Clients</strong> -&gt; <code>&lt;your client&#x27;s id&gt;</code> -&gt; <strong>Client scopes</strong> -&gt; <strong>Evaluate</strong>.<br>
<!-- -->Select a <em>realm user</em> and optional <em>scope parameters</em> such as groups, and generate the JSON representation of an access
or id token to examine its contents.</p></div><footer class="theme-doc-footer docusaurus-mt-lg"><div class="theme-doc-footer-edit-meta-row row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/providers/keycloak_oidc.md" target="_blank" rel="noreferrer noopener" class="theme-edit-this-page"><svg fill="currentColor" height="20" width="20" viewBox="0 0 40 40" class="iconEdit_Z9Sw" aria-hidden="true"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div><div class="col lastUpdated_vwxv"></div></div></footer></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages"><a class="pagination-nav__link pagination-nav__link--prev" href="/oauth2-proxy/docs/next/configuration/providers/keycloak"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">Keycloak</div></a><a class="pagination-nav__link pagination-nav__link--next" href="/oauth2-proxy/docs/next/configuration/providers/gitlab"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">GitLab</div></a></nav></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container container-fluid"><div class="footer__bottom text--center"><div class="footer__copyright">Copyright © 2023 OAuth2 Proxy.</div></div></div></footer></div>
<script src="/oauth2-proxy/assets/js/runtime~main.ba6c664f.js"></script>
<script src="/oauth2-proxy/assets/js/main.2082d8ea.js"></script>
</body>
</html>
Update documentation based on 76bc2cf73fb643143a69df7a39bd85685355ebdc 2023-10-31 19:34:53 +00:00			`<!doctype html>`
			`<html lang="en" dir="ltr" class="docs-wrapper docs-doc-page docs-version-current plugin-docs plugin-id-default docs-doc-id-configuration/providers/keycloak_oidc" data-has-hydrated="false">`
			`<head>`
			`<meta charset="UTF-8">`
			`<meta name="generator" content="Docusaurus v2.4.3">`
			<title data-rh="true">Keycloak OIDC \| OAuth2 Proxy</title><meta data-rh="true" name="viewport" content="width=device-width,initial-scale=1"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:url" content="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="Keycloak OIDC \| OAuth2 Proxy"><meta data-rh="true" name="description" content="Keycloak has updated its admin console and as of version 19.0.0, the new admin console is enabled by default. The"><meta data-rh="true" property="og:description" content="Keycloak has updated its admin console and as of version 19.0.0, the new admin console is enabled by default. The"><link data-rh="true" rel="icon" href="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg"><link data-rh="true" rel="canonical" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc"><link data-rh="true" rel="alternate" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc" hreflang="en"><link data-rh="true" rel="alternate" href="https://oauth2-proxy.github.io/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc" hreflang="x-default"><link rel="stylesheet" href="/oauth2-proxy/assets/css/styles.4014daec.css">
			`<link rel="preload" href="/oauth2-proxy/assets/js/runtime~main.ba6c664f.js" as="script">`
			`<link rel="preload" href="/oauth2-proxy/assets/js/main.2082d8ea.js" as="script">`
			`</head>`
			`<body class="navigation-with-keyboard">`
			`<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=new URLSearchParams(window.location.search).get("docusaurus-theme")}catch(t){}return t}()\|\|function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">`
			<div role="region" aria-label="Skip to main content"><a class="skipToContent_fXgn" href="#__docusaurus_skipToContent_fallback">Skip to main content</a></div><nav aria-label="Main" class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/oauth2-proxy/"><div class="navbar__logo"><img src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy" class="themedImage_ToTc themedImage--light_HNdA"><img src="/oauth2-proxy/img/logos/OAuth2_Proxy_icon.svg" alt="OAuth2 Proxy" class="themedImage_ToTc themedImage--dark_i4oU"></div><b class="navbar__title text--truncate">OAuth2 Proxy</b></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/oauth2-proxy/docs/">Docs</a></div><div class="navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a class="navbar__link" aria-haspopup="true" aria-expanded="false" role="button" href="/oauth2-proxy/docs/next/">Next</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/oauth2-proxy/docs/next/configuration/providers/keycloak_oidc">Next</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/">7.5.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.4.x/">7.4.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.3.x/">7.3.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.2.x/">7.2.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.1.x/">7.1.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/7.0.x/">7.0.x</a></li><li><a class="dropdown__link" href="/oauth2-proxy/docs/6.1.x/">6.1.x</a></li></ul></div><a href="https://github.com/oauth2-proxy/oauth2-proxy" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link">GitHub<svg width="13.5" height="13.5" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a><div class="toggle_vylO colorModeToggle_DEke"><button class="clean-btn toggleButton_gllP toggleButtonDisabled_aARS" type="button" disabled="" title="Switch between dark and light mode (currently light mode)" aria-label="Switch between dark and light mode (currently light mode)" aria-live="polite"><svg viewBox="0 0 24 24" width="24" height="24" class="lightToggleIcon_pyhR"><path fill="currentColor" d="M12,9c1.65,0,3,1.35,3,3s-1.35,3-3,3s-3-1.35-3-3S10.35,9,12,9 M12,7c-2.76,0-5,2.24-5,5s2.24,5,5,5s5-2.24,5-5 S14.76,7,12,7L12,7z M2,13l2,0c0.55,0,1-0.45,1-1s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S1.45,13,2,13z M20,13l2,0c0.55,0,1-0.45,1-1 s-0.45-1-1-1l-2,0c-0.55,0-1,0.45-1,1S19.45,13,20,13z M11,2v2c0,0.55,0.45,1,1,1s1-0.45,1-1V2c0-0.55-0.45-1-1-1S11,1.45,11,2z M11,20v2c0,0.55,0.45,1,1,1s1-0.45,1-1v-2c0-0.55-0.45-1-1-1C11.45,19,11,19.45,11,20z M5.99,4.58c-0.39-0.39-1.03-0.39-1.41,0 c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0s0.39-1.03,0-1.41L5.99,4.58z M18.36,16.95 c-0.39-0.39-1.03-0.39-1.41,0c-0.39,0.39-0.39,1.03,0,1.41l1.06,1.06c0.39,0.39,1.03,0.39,1.41,0c0.39-0.39,0.39-1.03,0-1.41 L18.36,16.95z M19.42,5.99c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06c-0.39,0.39-0.39,1.03,0,1.41 s1.03,0.39,1.41,0L19.42,5.99z M7.05,18.36c0.39-0.39,0.39-1.03,0-1.41c-0.39-0.39-1.03-0.39-1.41,0l-1.06,1.06 c-0.39,0.39-0.39,1.03,0,1.41s1.03,0.39,1.41,0L7.05,18.36z"></path></svg><svg viewBox="0 0 24 24" width="24" height="24" class="darkToggleIcon_wfgR"><path fill="currentColor" d="M9.37,5.51C9.19,6.15,9.1,6.82,9.1,7.5c0,4.08,3.32,7.4,7.4,7.4c0.68,0,1.35-0.09,1.99-0.27C17.45,17.19,14.93,19,12,19 c-3.
			`legacy admin console has been announced for removal with the release of version 21.0.0.</p></div></div><p><strong>Keycloak legacy admin console</strong></p><ol><li>Create new client in your Keycloak realm with <strong>Access Type</strong> 'confidential', <strong>Client protocol</strong> 'openid-connect'`
			and <strong>Valid Redirect URIs</strong> '<a href="https://internal.yourcompany.com/oauth2/callback'" target="_blank" rel="noopener noreferrer">https://internal.yourcompany.com/oauth2/callback'</a></li><li>Take note of the Secret in the credential tab of the client</li><li>Create a mapper with <strong>Mapper Type</strong> 'Group Membership' and <strong>Token Claim Name</strong> 'groups'.</li><li>Create a mapper with <strong>Mapper Type</strong> 'Audience' and <strong>Included Client Audience</strong> and <strong>Included Custom Audience</strong> set
			`to your client name.</li></ol><p><strong>Keycloak new admin console (default as of v19.0.0)</strong></p><p>The following example shows how to create a simple OIDC client using the new Keycloak admin2 console. However, for best`
			`practices, it is recommended to consult the Keycloak documentation.</p><p>The OIDC client must be configured with an <em>audience mapper</em> to include the client's name in the <code>aud</code> claim of the JWT token.<br>`
			`<!-- -->The <code>aud</code> claim specifies the intended recipient of the token, and OAuth2 Proxy expects a match against the values of`
			`either <code>--client-id</code> or <code>--oidc-extra-audience</code>.</p><p><em>In Keycloak, claims are added to JWT tokens through the use of mappers at either the realm level using "client scopes" or`
			through "dedicated" client mappers.</em></p><p><strong>Creating the client</strong></p><ol><li>Create a new OIDC client in your Keycloak realm by navigating to:<br><strong>Clients</strong> -> <strong>Create client</strong><ul><li><strong>Client Type</strong> 'OpenID Connect'</li><li><strong>Client ID</strong> <code><your client's id></code>, please complete the remaining fields as appropriate and click <strong>Next</strong>.<ul><li><strong>Client authentication</strong> 'On'</li><li><strong>Authentication flow</strong><ul><li><strong>Standard flow</strong> 'selected'</li><li><strong>Direct access grants</strong> 'deselect'<ul><li><em>Save the configuration.</em></li></ul></li></ul></li><li><strong>Settings / Access settings</strong>:<ul><li><strong>Valid redirect URIs</strong> <code>https://internal.yourcompany.com/oauth2/callback</code><ul><li><em>Save the configuration.</em></li></ul></li></ul></li><li>Under the <strong>Credentials</strong> tab you will now be able to locate <code><your client's secret></code>.</li></ul></li></ul></li><li>Configure a dedicated <em>audience mapper</em> for your client by navigating to <strong>Clients</strong> -> <strong><your client's id></strong> -> <strong>Client scopes</strong>.</li></ol><ul><li>Access the dedicated mappers pane by clicking <strong><your client's id>-dedicated</strong>, located under <em>Assigned client scope</em>.<br><em>(It should have a description of "Dedicated scope and mappers for this client")</em><ul><li>Click <strong>Configure a new mapper</strong> and select <strong>Audience</strong><ul><li><strong>Name</strong> 'aud-mapper-<your client's id>'</li><li><strong>Included Client Audience</strong> select <code><your client's id></code> from the dropdown.<ul><li><em>OAuth2 proxy can be set up to pass both the access and ID JWT tokens to your upstream services.
			`If you require additional audience entries, you can use the <strong>Included Custom Audience</strong> field in addition`
			`to the "Included Client Audience" dropdown. Note that the "aud" claim of a JWT token should be limited and`
			only specify its intended recipients.</em></li></ul></li><li><strong>Add to ID token</strong> 'On'</li><li><strong>Add to access token</strong> 'On' - <a href="https://github.com/oauth2-proxy/oauth2-proxy/pull/1916" target="_blank" rel="noopener noreferrer">#1916</a><ul><li><em>Save the configuration.</em></li></ul></li></ul></li></ul></li><li>Any subsequent dedicated client mappers can be defined by clicking <strong>Dedicated scopes</strong> -> <strong>Add mapper</strong> ->
			`<strong>By configuration</strong> -> <em>Select mapper</em></li></ul><p>You should now be able to create a test user in Keycloak and get access to the OAuth2 Proxy instance, make sure to set`
			`an email address matching <code><yourcompany.com></code> and select <em>Email verified</em>.</p><p><strong>Authorization</strong></p><p><em>OAuth2 Proxy will perform authorization by requiring a valid user, this authorization can be extended to take into`
			`account a user's membership in Keycloak <code>groups</code>, <code>realm roles</code>, and <code>client roles</code> using the keycloak-oidc provider options<br><code>--allowed-role</code> or <code>--allowed-group</code></em></p><p><strong>Roles</strong></p><p><em>A standard Keycloak installation comes with the required mappers for <strong>realm roles</strong> and <strong>client roles</strong> through the`
			`pre-defined client scope "roles". This ensures that any roles assigned to a user are included in the <code>JWT</code> tokens when`
			using an OIDC client that has the "Full scope allowed" feature activated, the feature is enabled by default.</em></p><p><em>Creating a realm role</em></p><ul><li>Navigate to <strong>Realm roles</strong> -> <strong>Create role</strong><ul><li><strong>Role name</strong>, <em><code><realm role name></code></em> -> <strong>save</strong></li></ul></li></ul><p><em>Creating a client role</em></p><ul><li>Navigate to <strong>Clients</strong> -> <code><your client's id></code> -> <strong>Roles</strong> -> <strong>Create role</strong><ul><li><strong>Role name</strong>, <em><code><client role name></code></em> -> <strong>save</strong></li></ul></li></ul><p><em>Assign a role to a user</em></p><p><strong>Users</strong> -> <em>Username</em> -> <strong>Role mapping</strong> -> <strong>Assign role</strong> -> <em>filter by roles or clients and select</em> -> <strong>Assign</strong>.</p><p>Keycloak "realm roles" can be authorized using the <code>--allowed-role=<realm role name></code> option, while "client roles" can be
			`evaluated using <code>--allowed-role=<your client's id>:<client role name></code>.</p><p>You may limit the <em>realm roles</em> included in the JWT tokens for any given client by navigating to:<br>`
			`<strong>Clients</strong> -> <code><your client's id></code> -> <strong>Client scopes</strong> -> <em><your client's id>-dedicated</em> -> <strong>Scope</strong><br>`
			`<!-- -->Disabling <strong>Full scope allowed</strong> activates the <strong>Assign role</strong> option, allowing you to select which roles, if assigned`
			`to a user, will be included in the user's JWT tokens. This can be useful when a user has many associated roles, and you`
			`want to reduce the size and impact of the JWT token.</p><p><strong>Groups</strong></p><p>You may also do authorization on group memberships by using the OAuth2 Proxy option <code>--allowed-group</code>.<br>`
			`<!-- -->We will only do a brief description of creating the required <em>client scope</em> <strong>groups</strong> and refer you to read the Keycloak`
			documentation.</p><p>To summarize, the steps required to authorize Keycloak group membership with OAuth2 Proxy are as follows:</p><ul><li>Create a new Client Scope with the name <strong>groups</strong> in Keycloak.<ul><li>Include a mapper of type <strong>Group Membership</strong>.</li><li>Set the "Token Claim Name" to <strong>groups</strong> or customize by matching it to the <code>--oidc-groups-claim</code> option of OAuth2 Proxy.</li><li>If the "Full group path" option is selected, you need to include a "/" separator in the group names defined in the
			`<code>--allowed-group</code> option of OAuth2 Proxy. Example: "/groupname" or "/groupname/child_group".</li></ul></li></ul><p>After creating the <em>Client Scope</em> named <em>groups</em> you will need to attach it to your client.<br>`
			`<strong>Clients</strong> -> <code><your client's id></code> -> <strong>Client scopes</strong> -> <strong>Add client scope</strong> -> Select <strong>groups</strong> and choose Optional`
			and you should now have a client that maps group memberships into the JWT tokens so that Oauth2 Proxy may evaluate them.</p><p>Create a group by navigating to <strong>Groups</strong> -> <strong>Create group</strong> and <em>add</em> your test user as a member.</p><p>The OAuth2 Proxy option <code>--allowed-group=/groupname</code> will now allow you to filter on group membership</p><p>Keycloak also has the option of attaching roles to groups, please refer to the Keycloak documentation for more information.</p><p><strong>Tip</strong></p><p>To check if roles or groups are added to JWT tokens, you can preview a users token in the Keycloak console by following
			`these steps: <strong>Clients</strong> -> <code><your client's id></code> -> <strong>Client scopes</strong> -> <strong>Evaluate</strong>.<br>`
			`<!-- -->Select a <em>realm user</em> and optional <em>scope parameters</em> such as groups, and generate the JSON representation of an access`
			or id token to examine its contents.</p></div><footer class="theme-doc-footer docusaurus-mt-lg"><div class="theme-doc-footer-edit-meta-row row"><div class="col"><a href="https://github.com/oauth2-proxy/oauth2-proxy/edit/master/docs/docs/configuration/providers/keycloak_oidc.md" target="_blank" rel="noreferrer noopener" class="theme-edit-this-page"><svg fill="currentColor" height="20" width="20" viewBox="0 0 40 40" class="iconEdit_Z9Sw" aria-hidden="true"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div><div class="col lastUpdated_vwxv"></div></div></footer></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages"><a class="pagination-nav__link pagination-nav__link--prev" href="/oauth2-proxy/docs/next/configuration/providers/keycloak"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">Keycloak</div></a><a class="pagination-nav__link pagination-nav__link--next" href="/oauth2-proxy/docs/next/configuration/providers/gitlab"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">GitLab</div></a></nav></div></div></div></div></main></div></div><footer class="footer footer--dark"><div class="container container-fluid"><div class="footer__bottom text--center"><div class="footer__copyright">Copyright © 2023 OAuth2 Proxy.</div></div></div></footer></div>
			`<script src="/oauth2-proxy/assets/js/runtime~main.ba6c664f.js"></script>`
			`<script src="/oauth2-proxy/assets/js/main.2082d8ea.js"></script>`
			`</body>`
			`</html>`