search
TPI.devCommunityGithubLinkedIn

Configuring Keycloak Client with PKCE and Registering a User

This section explains how to integrate digiRunner with Keycloak to establish a standard API access authentication and authorization mechanism. This enhances system security and simplifies identity management workflows.

hashtag
Creating Client in Keycloak

  1. Log in to the Keycloak admin console, and select Clients from the left sidebar to access the client management page, which lists all existing clients.

  2. Click Create Client in the upper right corner to access the client creation page, and configure the client as follows:

  • Client Type: Select OpenID Connect from the drop-down menu.

  • Client ID: Enter a unique identifier for this client. This value will be used later in integration settings.

  • Name:Enter a meaningful name to easily identify the client’s purpose.

  • Description: Optional. Add a brief description for reference and future maintenance.

3. Click the Capability config tab to proceed.

hashtag
Configuring Client Capabilities

  1. On the Capability config page, ensure that Client authentication is On (enabled), indicating this is a confidential client.

  2. In the Authentication flow section:

  • Check Standard flow to enable the standard Authorization Code Flow for this client.

  • Uncheck Direct access grants to disable the Resource Owner Password Credentials Flow.

  1. Click the Login settings tab to proceed.

hashtag
Configuring Login Settings

  1. In the Valid redirect URIs field, enter: https://oauth.pstmn.io/v1/callbackarrow-up-right. This is the default callback URL for Postman and is required when testing the OAuth flow using Postman.

  2. Click Save to complete the client creation.

hashtag
Enabling PKCE with S256 Hash Algorithm

This section guides you through enabling PKCE using the secure S256 hashing algorithm, ensuring the client and authorization server use the same method.

  1. Once the client is created, switch to the Clients list tab and click the newly created client to access the setting page.

  1. Go to the Advanced tab, and select Advanced settings from the right panel to jump to that section.

  1. In the Proof Key for Code Exchange Code Challenge Method field, select S256 to enable PKCE.

hashtag
Retrieving the Client Secret

  1. Click the Credentials tab to access the page.

  2. Locate the Client Secret field, and click on the icon to reveal the secret.

  3. Copy this value. It will be required when configuring the IdP Client Secret in digiRunner’s OAuth 2.0 settings.

hashtag
Creating a Test User Account

  1. In the left sidebar, go to Users and click Add user to create a new user.

  1. Enter a Username for the account and click Create.

hashtag
Setting up a User Password

  1. Once the user is created, go to the Credentials tab and click Set password to proceed.

  1. Enter the Password and Password confirmation fields.

  2. Set Temporary to Off so the password does not expire upon first login, and click Save.

  1. A confirmation dialog will appear. Click Save password to confirm.

You have now successfully set up a client with PKCE enabled and created a test user account. You are ready to test the OAuth 2.0 Authorization Code Flow using Postman or connect the setup to digiRunner.

PreviousOIDC Integration: Obtaining Tokens from Keycloak and Calling APIs via digiRunnerNextCreating a Client in digiRunner and Connecting to Keycloak via GTW OAuth 2.0 IdP

Last updated

Was this helpful?