Skip to content

Keycloak Identity Service

The Keycloak service is the centralized Identity Provider (IdP) for the platform, implementing authentication, single sign-on (SSO), and role management.

1. Deployment Specification

  • Base Image: Custom built on top of official Keycloak image.
  • Database: PostgreSQL database container (postgres:16) storing persistent account data.
  • Import Realms: Auto-loads configuration profiles on initialization using the Keycloak bootstrap tool --import-realm.
  • Volumes:
  • Import configurations loaded at /opt/keycloak/data/import/.
  • Customized theme folders mapped at /opt/keycloak/themes.

2. Configuration & Integration

Realm Configuration

The primary realm configuration is exported inside intelligence-cloud-realm-export.json: * Realm Name: intelligence-cloud * Default Flow: Browser Authorization Code Flow with PKCE enforced. * Token Expiration: Short-lived Access Tokens (5 minutes) coupled with Refresh Tokens.

Client Configuration

  • Client ID: angular-dash
  • Access Type: Public client (since SPA running in browser cannot store a client secret safely).
  • Redirect URIs: Configured to redirect to the reverse proxy url (e.g., http://localhost/* or production domain URLs).
  • Web Origins: Configured to support Cross-Origin Resource Sharing (CORS) from client dashboard domains.

3. Client Roles & Token Contents

Keycloak embeds user authorization roles inside the client claims. An example JWT payload payload:

{
  "sub": "234a9b-11d2-441d-91b5-901cf102d84",
  "email": "user@example.com",
  "resource_access": {
    "angular-dash": {
      "roles": [
        "editor"
      ]
    }
  }
}

This structural claim format allows the API Gateway to decode the token statelessly, extract user roles, and apply access policies on specific route handles immediately.