Skip to content

[INJICERT-871] add docs for keycloak #224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
vharsh wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

[INJICERT-871] add docs for keycloak #224

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b0766c3
[INJICERT-871] add docs for keycloak
vharsh Feb 11, 2025
0136a3f
[INJICERT-871] add sample data & schema
vharsh Feb 11, 2025
09504f0
[INJICERT-871] move keycloak docs to docs directory
vharsh Apr 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions docs/KEYCLOAK-SETUP.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# Using Certify with KeyCloak as an AuthZ service

Guide a dev/integrator to use compatible version of Inji Certify to integrate KeyCloak as an Authentication service for VC Issuance. This document is strictly to showcase how other AuthZ services can be used with Certify for the purposes of VC Issuance and does not cover all necessary security guidelines. The Certify developers have tested this with Keycloak 26 and it may work with other standards compliant AuthZ providers.

## Pre-requisite:

1. A configured Keycloak setup(replace this with another compatible AuthZ setup)
2. A working Inji Certify setup with an appropriate VC Plugin

## Steps

### 1. Keycloak Configuration

1. Login into Keycloak and create a "Client" in Keycloak, check for the "Clients" option on the sidebar as shown in ![](./images/Keycloak.png)
- the "Access Type" should be `public`
- add "Valid Redirect URIs" to the appropriate values or keep it to `*` for testing purposes, do change it later
- set "Enabled" to true
- configure
2. Create a "client scope" in Keycloak with the same scope name as the one configured in Certify Well Known
- set the "Protocol" to be `openid-connect`
- set "Include In Token Scope" to `true`
- Create mappers with the "token claim name" of `aud` & `client_id` with the relevant details and set "Add to access token" to `true`.

### 2. Configure Certify

1. Set the Authorize URL of Certify to point to the KeyCloak Authorization server, i.e. `mosip.certify.authorization.url` and configure the `mosip.certify.authn.issuer-uri` & `mosip.certify.authn.jwk-set-uri` appropriately.
2. Configure `mosip.certify.identifier` to the value matching the `aud` value configured in the client.
3. Configure the scope correctly as per the scope of the VerifiableCredential as configured in the Keycloak client in the prior steps.
4. Configure the credential types to match the VC in the well known
5. Add and configure your VC Plugin and configure it's properties
6. Generate an Authorization token via Keycloak and try to download a VC from Certify using the relevant [Postman collections](./postman-collections/) or via another standards compliant interface.
Binary file added docs/images/Keycloak.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.