Documentation
Management
OIDC Providers

System Provider

Blazing KRaft gives you the ability to register OpenID Connect Providers directly from the UI, or register a System Default OIDC Provider by injecting the following ENV variables:

BLAZINGKRAFT_OIDC_PROVIDER_CODE: internalProvider # Required
BLAZINGKRAFT_OIDC_PROVIDER_NAME: Internal Provider # Optional (default: $code)
BLAZINGKRAFT_OIDC_PROVIDER_ISSUER: http://keycloak_fqdn/auth/realms/blazingkraft # Required
BLAZINGKRAFT_OIDC_PROVIDER_CLIENT_ID: ui # Required
BLAZINGKRAFT_OIDC_PROVIDER_CLIENT_SECTET: secret # Optional
BLAZINGKRAFT_OIDC_PROVIDER_PKCE_ENABLED: true # Optional (default: false)
BLAZINGKRAFT_OIDC_PROVIDER_PROVIDER_TYPE: Keycloak # Optional
BLAZINGKRAFT_OIDC_PROVIDER_SCOPES: openid;;;offline_access;;;profile;;;email;;;address;;;phone # Optional (default: openid;;;offline_access)

Auth0

Auth0 is a cloud service that provides a set of unified APIs and tools that instantly enable single sign-on and user management for all of your applications.

Create an application and grab the basic configuration and register the callback url to {blazingkraft_base_url}/login/callback/{oidc_provider_code}, then head to Blazing KRaft and register the provider.

Auth0 Basic Configuration

Auth0 Basic Configuration Image

Auth0 Basic Configuration

Auth0 Callback Url Image

Blazing KRaft Auth0

Blazing KRaft Auth0 Image

Keycloak

Keycloak is an open source software product that allows single sign-on with identity and access management aimed at modern applications and services.

Create a realm, a client, and a user and then grab the basic configuration and register the callback url to {blazingkraft_base_url}/login/callback/{oidc_provider_code}, then head to Blazing KRaft and register the provider.

Keycloak Create Realm

Keycloak Create Realm Image

Keycloak Create Client

Keycloak Create Client Image

Keycloak Create User

Keycloak Create User Image

Blazing KRaft Keycloak

Blazing KRaft Keycloak Image

OIDC Providers Listing

After registring OIDC Providers, you can view them in the listing page.

OIDC Providers Listing Image

OIDC Providers Actions

You can delete, edit, and view the details of the OIDC Provider.

Delete OIDC Provider

OIDC Providers Delete Image

Edit OIDC Provider

OIDC Providers Edit Image

OIDC Provider Details

OIDC Providers Details Image

OIDC Provider Well Known Configuration

OIDC Providers Well Known Configuration

Custom Claim

If the idToken issued by the OIDC Provider doesn't contain the blazingkraft_group, the connected user will only be restricted by the server permissions.

To create a custom claim in Keycloak, you should add an attribute to the user and create a mapper to add it to the idToken.

Keycloak Attribute

Keycloak Add Attribute Image

Keycloak Create Protocol Mapper

Keycloak Create Protocol Mapper Image

ID Token

{
  "exp": 1686656138,
  "iat": 1686655838,
  "auth_time": 1686655832,
  "jti": "bc2d72f0-78dd-484d-9172-36d439b4688b",
  "iss": "http://localhost:9010/auth/realms/blazingkraft",
  "aud": "blazingkraft",
  "sub": "57e166ae-1670-42ef-9006-75a080c083b5",
  "typ": "ID",
  "azp": "blazingkraft",
  "session_state": "28179e4c-0828-4575-a4b3-2031d6828268",
  "at_hash": "2MyfN2PiciCkzwuuuo7rXA",
  "acr": "1",
  "sid": "28179e4c-0828-4575-a4b3-2031d6828268",
  "email_verified": false,
  "preferred_username": "blazingkraft",
  "given_name": "",
  "blazingkraft_group": "qaTeam",
  "email": "blazingkraft@gmail.com"
}

OIDC Provider Login

You can now use your registered providers and login using them.

OIDC Provider Login Page Image

Miscellaneous

When registering OIDC Providers for the first time, if you made a configuration mistake, in some rare cases you might need to clear the session storage on your browser before retrying to login with a provider.

Session Storage

If when logging in with a provider you get a no token provided error, its most likely because of a configuration mistake. Make sure that the registered issuer is exactly the same as the one provided in the idToken, for example the Auth0 domain doesn't contain the trailing slash '/', but the issuer in the idToken does. Blazing KRaft performs a strict comparison of the issuer contained in the token and the one you've registered. Therefore, for Blazing KRaft its a InsufficientAuthenticationException which results in a no token provided error.

These decisions are made on purpose for security reasons, I highly recommend that you always check the logs for more information as the Blazing KRaft provides nicely formatted log entries.

OIDC Provider Clear Session Storage Image
OIDC Provider Logs Image

Important

For blazingly fast token validation, Blazing KRaft stores OIDC Providers in memory.

For this reason the providers are only invalidated on a single instance, if you have scaled to more than one instance of Blazing KRaft, you'll need to restart them after creating, editing or deleting any OICD Provider.

GroupsServer Permissions