> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nx1cloud.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Keycloak in NexusOne

> Overview of Keycloak, an identity and access management system providing authentication and authorization in NexusOne.

Keycloak is an open source Identity and Access Management (IAM) solution designed
to provide centralized authentication, authorization, and user federation capabilities.
This means it handles the creation of users and assigns permissions to the users
through created roles, and offers access across multiple platforms.

Keycloak also supports industry-standard protocols such as OpenID Connect (OIDC),
OAuth 2.0, and Security Assertion Markup Language (SAML) 2.0. These protocols define
how apps that outsource their authentication and authorization ask Keycloak to
authenticate users.

## Key features

Keycloak has the following key features:

* **Authentication and authorization**: Provides built-in support for user authentication,
  Multi-Factor Authentication (MFA) and fine-grained authorization. These ensures
  that apps can outsource authentication and authorization to a trusted, centralized system
  like Keycloak.
* **Identity brokering and user federation**: Integrates with external identity providers,
  such as Lightweight Directory Access Protocol (LDAP), Active Directory, and social login
  providers such as Google and GitHub, and lastly, SAML identity providers.
  This allows your organization to inherit existing identity directories without
  duplicating user accounts.
* **Single Sign-On (SSO)**: Supports seamless access to authenticate once and gain
  access to multiple apps without re-entering credentials into each app. The login sessions
  are centrally managed in Keycloak to improve both user experience and security posture.
* **Client and resource management**: In Keycloak, an app represents a client within a specific
  realm. For each client, you can manage app permissions, allowed authentication flow, token
  configurations, and protocol configuration. This ensures flexible control and scoping of access
  rights within that realm.
* **Security tokens and sessions**: Keycloak generates the following types of tokens
  that manage identities and access:

  * **ID token**: Used by apps to know the authenticated user
  * **Access token**: Used to scope and authorize API access
  * **Refresh token**: Generates a new token to extend an app's session

  The token formats, validity periods, and claims can be explicitly configured per
  client or per realm.

## Keycloak components

Keycloak comprises several major components:

* **Realm**: Isolated namespace that groups users, roles, groups, and apps
* **Clients**: Apps or services that rely on Keycloak for authentication
  and authorization
* **Identity providers**: External authentication sources that Keycloak uses to
  authenticate users accessing an app.
* **User storage providers**: Connectors for external user directories
* **Admin console**: Browser-based interface for realm and user management

## Types of Keycloak roles

Keycloak provides two main types of roles that reflect the role's scope, this includes:

* **Realm roles**:These are global roles that apply across the entire realm, and
  any client can use them. You need them in the following scenarios:

  * Organizational-wide access for an administrator or manager
  * Setting permissions shared across multiple apps

  In tokens, realm roles appear under the `realm_access` claim.

* **Client roles**: These are app-specific roles defined within a single client. You need them in
  the following scenarios:

  * Fine-grained app-level permissions
  * Microservices that manage their own authorization models
  * Least-privilege access that isolates services

  In tokens, client roles appear under `resource_access.<client_id>.roles`.

## Keycloak in the NexusOne platform

Within NexusOne, Keycloak serves as the central authoritative system for all apps.
It provides the following capabilities:

* Centralizes user creation, provisioning, and de-provisioning
* Authenticates all internal and external users across all apps in NexusOne
* Manages sessions and SSO flows for a seamless login experience
* Issues tokens used by downstream services
* Enforces consistent security policies such as MFA, password policies, and session limits
* Externalized databases and integration with identity providers when deployed

### Deployment

Keycloak runs on a container orchestration platform such as Kubernetes. The NexusOne
deployments include the following capabilities

* High-availability configuration
* Externalized PostgreSQL database
* External identity providers
* Integrated secrets management

*Terraform* manages all Keycloak resources, including clients, roles, groups, identity
providers, mappers, and any additional realm configuration. This ensures that the entire
IAM configuration is declarative, version-controlled, and fully aligned with the NexusOne
team's infrastructure-as-code standards.

As a NexusOne customer, you have three options:

* **Self-managed deployment**: Deploy and manage NexusOne inside your cluster
* **Managed cluster by NexusOne**: Allow the NexusOne team manage the cluster for you
* **Web portal only**: Use NexusOne entirely through the web portal

If you deploy and manage NexusOne yourself, use the pre-packaged Terraform modules to define
your Keycloak clients and associated permissions rather than relying on manual configuration.

<Warning>Manual changes in the Keycloak Admin Console must be strictly avoided.</Warning>

Untracked Terraform modifications introduce configuration drift, reduce reliability,
complicate troubleshooting, and might not be easily found during redeployments or
upgrades. So, ensure you submit all updates through the IaC pipeline to maintain
consistency and auditability across environments.

By adhering to these practices, you are ensuring that Keycloak remains stable, predictable,
and fully reproducible across all stages of deployment.

### Keycloak client configuration

Apps within NexusOne act as a clients to Keycloak. These apps use the following
OIDC-compliant authentication flows:

* **Authorization code flow**: User authenticates via the browser
* **Client credentials flow**: Service authenticates between themselves without a user
* **Implicit flow**: User authenticates via the browser in legacy web architectures

Before authentication, each client defines the following:

* **Redirect URIs**: Where Keycloak can send tokens after login
* **Token policies**: Rules for token lifespans, scopes, and refresh behavior
* **Required roles**: What claims the user must have to access the client
* **Frontend and backend session settings**: How long a user stays logged in,
  independent of the expiration of a token
* **Proof Key for Code Exchange (PKCE)/constraints**: Extra checks during the authentication flow

By unifying these configurations, NexusOne ensures that the policies it applies
to each client are consistent and traceable.

### User management and provisioning

When you need to create users within NexusOne, Keycloak serves as the central user directory.

It manages the following:

* **User attributes**: Personal and system information stored for each user
* **Roles and role mappings**: Permissions and access levels assigned to users
* **Group memberships**: Collection of users grouped to simplify role assignment
* **MFA configuration**: Multi-factor authentication settings for stronger account security
* **Password policies**: Rules for password creation, such as its length, hash algorithm, and more

As an administrator, you manage users through the *Keycloak Admin Console*, while individual
users manage their own accounts through the *Account Console*.

### Security and compliance enhancements

Using Keycloak as a centralized identity provider enhances NexusOne's security
posture by enabling the following:

* Central auditing and event logging for all authentication attempts
* Consistent SSO session timeouts and rotation policies
* Centralized breach response, such as revoking all user sessions at once
* Reduced attack surface by eliminating custom authentication implementations in each app
* Compliance with organizational and regulatory requirements, such as password rotation
  policies, audit tracing, and more

### Authorization code flow via Keycloak

The following diagram shows the Authorization Code Flow of a user within NexusOne logging in
via Keycloak. It shows how the authentication of the user, exchange from an authorization code
for tokens, and the establishment of a session for subsequent requests.

```mermaid theme={null}
sequenceDiagram
    participant User
    participant App as Application
    participant KC as Keycloak

    User->>App: Sends a request to the /dashboard URL path on the app
    App->>App: Checks for a valid session or token and none exists
    App->>User: Redirects user to Keycloak for authentication
    User->>KC: Browser sends an authentication request to Keycloak
    KC->>User: Responds with a login page
    User->>KC: Submit your credentials such as a username and password
    KC->>KC: Validates the credentials and creates a session
    KC->>User:Redirects you back to the app with an authorization code
    User->>App: Sends a callback request to the app with the authorization code
    App->>KC: Exchanges the code for an access token and user information
    KC->>App: Returns the access token and user information
    App->>App: Validates token and creates a session
    App->>User: Redirects to the original URL with a session cookie
    User->>App: Sends an authenticated request to the /dashboard URL path
    App->>App: Validates the session
    App->>User: Returns requested dashboard content
```

## Additional resources

* To learn practical ways to use Keycloak in the NexusOne environment, refer to the
  [Keycloak hands-on examples](./keycloak-hands-on-examples) page.
* For more details about Keycloak, refer to the [Keycloak](https://www.keycloak.org/documentation)
  official documentation.
* If you are using the NexusOne portal and want to learn how to configure IAM using Keycloak,
  refer to the [Govern](/documentation/govern/overview) page.
