Enable SSO using Keycloak
We use KeyCloak for identity management. This provide us with a OpenID Connect (an extension to OAuth 2.0) compliant identity service that we can use to authenticate users. Much like what Google and Github provide to login to other apps. Keycloak will provide:
The login user experience, including signing in page
2FA
Password reset features, account management
The ability to manage user permissions centrally, across applications
Our applications will just consume the resulting ID token that is produced to authenticate users and to check the roles that they are assigned.
We currently support the Auth Code Flow :
User access the JeMPI UI and clicks on "Sign-In with Keycloak".
User is redirected to Keycloak where he needs to submit his credentials.
User gets redirected back to the JeMPI UI along with the auth code parameters.
Auth code parameters are sent to the "POST /authenticate" JeMPI API endpoint.
JeMPI API sends the auth code to Keycloak along with the Client ID and Client Secret.
JeMPI gets token and verifies it, then parse the user infos (email, username, ...)
User is added to the Postgres Database if it's the first time he signs in.
JeMPI API creates a session and sends back the user object along with the session cookie.
User s redirected to the homepage.
Clone the JeMPI git repository
Update local config to use Keycloak
Execute the local-deployment script
Select Option 1: Deploy JeMPI (For Fresh Start)
Access : http://localhost:3000/login
Sign in with Keycloak user credentials