/keycloak-gsis-providers

This Keycloak plugin adds production and testing identity providers for using GSIS OAuth 2 Services

Primary LanguageHTMLApache License 2.0Apache-2.0

Keycloak Gsis Providers CI Status

This Keycloak plugin adds production and testing identity providers for using Greek General Secretariat of Information Systems for Public Administration (GSIS) OAuth 2 Services.

Keycloak is an open-source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code.

OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and Google. It works by delegating user authentication to the service that hosts the user account and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices.

Implemented identity providers

How to get permissions for using Gsis OAuth 2.0 authentication services for your application

In order to be able to use Gsis OAuth 2.0 authentication services you need to request permission from GSIS. Instructions can be found at the Interoperability Center of the Ministry of Digital Governance (KE.D) website.

After your request to KE.D is approved you will be given a clientId and a clientSecret for connecting your application with Gsis OAuth 2.0 providers.

IMPORTANT NOTICE:

You must acquire separate permission (separate clientId) for each specific application you want to use GSIS OAuth2 with. Providing GSIS OAuth2 identification and authorization data to applications other than those an acquired permission is for is against the service license provided by GSIS and will result in revoking your access to the service.

Installation

Quick: Download the latest jar release from the Releases page. Then deploy it into the $KEYCLOAK_HOME/standalone/deployments/ directory.

You will need a functional Keycloak deployment. You can read the Keycloak getting started guide for instructions on setting up a Keycloak instance. You can also run Keycloak as a Docker Container, or deploy Keycloak on Kubernetes via plain manifest or using the Keycloak Operator.

After having set up Keycloak, download the latest Keycloak Gsis Providers release jar and install it to your instance. See the Keycloak server installation documentation for more information. You can also easily deploy the extension through the Operator Keycloak Manifest if you are using the Keycloak Operator on Kubernetes.

After successfully installing the extension the following options will be available through "Identity Providers" → "Add Provider" Keycloak administration console menu:

  • GsisTaxisTest (TAXISnet testing)
  • GsisTaxis (TAXISnet production)
  • GsisGovuserTest (Employees testing)
  • GsisGovUser (Employees production)

Setup

  • Add the Gsis Identity Provider you want to use in the realm which you want to configure.
  • In the Gsis identity provider page, set "Client Id" and "Client Secret".
  • (Optional) Set the alias for the provider and other options if you want.
  • (Optional) Set up provider mappers (See profile fields)

See the Identity Brokering section of Keycloak Server Admin for more info.

Profile Fields

Gsis OAuth 2.0 service provides the following profile fields for individuals:

  • userid
  • taxid
  • lastname
  • firstname
  • fathername
  • mothername
  • birthyear

In Identity Provider Mapper page Select Attribute Importer as Mapper Type to import a profile field as a user attribute.

Build from Source

Clone this repository and run mvn package. You will find keycloak-gsis-providers-{version}.jar under the target directory.

Licence

Apache License, Version 2.0

Author

Built for the needs of Greek School Network and Networking Technologies Directorate.
Based on this sample extension by xgp.