Keycloak

You can enable login with Keycloak using OIDC.

1. Create a client in your keycloak realm with:

• Client type: OpenID Connect
• Client authentication: false
• PKCE Method: S256
• Valid redirect URLs: <OPEN_CASE_URL>/auth/keycloak/callback
• Web origins: <OPEN_CASE_URL>/*
• Valid post logout redirect URIs: <OPEN_CASE_URL>

2. (Optional) Open Case will check for the groups attribute from keycloak and sync the present groups. In order to add this in keycloak:

• "Add mapper" -> "By configuration" -> "Groups membership"

3. (Optional) Add specific user attributes to the client scope:

• In the client configuration go to "Client scopes" and click on <CLIENT_ID>-dedicated
• "Add mapper" -> "By configuration" -> "User Attribute"
• Add any of these values to the mapping (all strings):
  • shift_signal_account
  • private_phone_number
  • private_signal_account
  • languages
  • shift_phone_number

4. Add the configuration values to your dotenv:

KEYCLOAK_DISABLE_DEFAULT_LOGIN=false
KEYCLOAK_ENABLE_USERS_BY_DEFAULT=false
KEYCLOAK_DISPLAY_NAME=My OAuth
KEYCLOAK_CLIENT_ID=<Client ID from Keycloak>
KEYCLOAK_CLIENT_SECRET=<Client ID from Keycloak>
KEYCLOAK_BASE_URL=<Keycloak URL>
KEYCLOAK_REALM=<Keycloak Realm>