Documentation
Server & Infrastructure
Authorization
Keycloak

Keycloak

Setup guide for using Keycloak as the OIDC provider for the FDK server.

Realm Setup

  1. Create a new realm or use an existing one.
  2. Note the realm URL: https://<keycloak-host>/realms/<realm-name>.

Client Registration

  1. Navigate to ClientsCreate client.
  2. Configure the client:
    • Client ID: Choose a name (e.g., fdk-server)
    • Client type: OpenID Connect
    • Client authentication: Off (public client)
    • Authentication flow: Standard flow enabled
  3. Set the access URIs:
    • Valid redirect URIs: https://<your-server-domain>/*
    • Valid post logout redirect URIs: https://<your-server-domain>/*

Scopes

  1. Go to Clients → your client → Client scopes tab.
  2. Ensure these are in Default scopes: openid, profile, email.
  3. Move offline_access from Optional to Default scopes.

Protocol Mappers

Add the following mappers to the client scope.

Audience

Adds the client_id to the aud claim.

  • Mapper type: Audience
  • Included Client Audience: your client ID
  • Add to ID token: Yes
  • Add to access token: Yes

Groups

Maps realm roles to a groups claim.

  • Mapper type: User Realm Role
  • Token Claim Name: groups
  • Multivalued: Yes
  • Add to ID token: Yes
  • Add to access token: Yes

Server Configuration 

AUTH__ISSUER=https://keycloak.example.com/realms/myrealm
AUTH__CLIENT_ID=fdk-server
AUTH__REFRESH_URL=https://keycloak.example.com/realms/myrealm/protocol/openid-connect/token
The server discovers all OIDC endpoints from the issuer URL via .well-known/openid-configuration. No additional endpoint configuration is required.
Microsoft Entra ID