Keycloak

Owned by Jai Dhaliwal (Unlicensed)
Last updated: Aug 04, 2022
2 min read

Keycloak is an open-source identity and access management solution that secures applications and services easily. In BC Government, the Pathfinder SSO Keycloak server acts as an OpenID Connect (OIDC) based identity provider.

CHEFS is hosted using a Custom Keycloak realm on the Silver OpenShift cluster. In order to access the admin panel of the Keycloak realm, contact Jason Chung.

User Groups

To provide admin access, the user must be added to both the Realm Administrator and operations-team user groups which can be viewed by navigating to "Manage > Groups" while logged in to the Keycloak admin console. The Realm Administrator group provides access to the admin console within Keycloak itself and the operations-team group provides access to the UI admin panel for the CHEFS application for the dev, test, or production instances.

Duplicate Emails

The realm has the “Duplicate Emails“ setting within the admin console turned on to ensure that BCeID and IDIR are always treated as two separate entities and never merged. This means that if one user has both a BCeid and an IDIR account, they must be treated as two separate users.

Refined Roles

CHEFS uses composites to create roles that can be associated with multiple roles, allowing for grouping and cross-client roles without explicitly choosing roles.

Permissions

CHEFS permissions are handled through the backend database. Keycloak only verifies whether one is a “user” or an “admin.”

Forward Propagating Design

CHEFS is constrained with a forward-propagating design, meaning that all changes to an environment can only be deployed forwards, never backwards. A new migration file must be created in order to make a change and it can’t be removed. Due to this, ensure that the changes you are implementing are correct.

KeycloakID VS GUID

It is best practice to use Government based IDs (GUID/DID) within CHEFS. Using a Keycloak ID (KCID) creates an additional dependency on the Keycloak product which is discouraged should the SSO team decide to use another product in the future.

Migration to Gold

  • Continuity Management Consideration

  • CHEFS Admin Role requires to access admin panel

  • verify-token-audience

Impact on CHEFS Users and End Users

During the process of transitioning the ownership of CHEFS, there is no action required by the users of CHEFS that use the application to create forms or the end-users interacting with the forms (in terms of Keycloak configuration).

However, once the application is hosted on a new domain name, CHEFS users would need to update the new link on any channel they use to reach the end-users.

If you have any questions or suggestions regarding this documentation, kindly contact Jason Chung on the Forms Design and Submissions team.