Skip to main content

OpenID Bridge Integration Guide - Keycloak

Keycloak is an open source provider for Identity and Access Management (IAM) and is used for single sign-on.

OpenID Bridge integration with Keycloak requires configuration of a new identity provider. The following integration steps cover the critical elements needed for OpenID Bridge. Your particular Keycloak integration may involve other elements.

Before you begin

You'll need:

  • Admin access to Keycloak account
  • Client redirect URI, where Keycloak will send users upon login

Create a new identity provider

First we need to add OpenID Bridge as an identity provider in Keycloak.

  1. Sign in to Keycloak as an admin user.

  2. Open the Administration console and navigate to the realm for which you want to integrate OpenID Bridge.

  3. In the Configure section of the left navbar, select Identity providers.

  4. Select the Add providers drop-down and select OpenID Connect v1.0.

  5. Create an Alias and copy the resulting Redirect URI for later use.

  6. Choose a helpful Display name that fits your use case.

    • For example, "Sign on with EUDI Wallet".

  7. If you have several single sign-on providers already, choose a Display order.

  8. Ensure the Use discovery endpoint toggle is activated.

  9. In the Discovery endpoint field, paste your OpenID Bridge discovery endpoint.

    • This should take the following form: https://{YOUR-BRIDGE-URL}/.well-known/openid-configuration.

    → Keycloak uses this to gather important metadata such as token and authorization endpoints. Note the user info URL for user profile data.

  10. In the Client authentication drop-down, make sure "Client secret sent as post" is selected.

  11. Choose a Client ID and a Client Secret, making sure to securely note these values as they must be used later during OpenID Bridge configuration.

  12. In the Client assertion signature algorithm field, choose "Algorithm not specified" unless there is a particular need to do otherwise.

  13. Select Add to complete Keycloak configuration.

Set client redirect URI

Next we tell Keycloak where to send users on login.

  1. In the Manage section of the left navbar, select Clients.

  2. In the Clients list, select the client which you're integrating OpenID Bridge into.

  3. Under Access settings, enter the client's redirect URI into the Valid redirect URIs field.

  4. Save your changes to the client settings.

Configure OpenID Bridge

With OpenID Bridge configured as a new identity provider in your Keycloak, now a new provider must be created in OpenID Bridge.

  1. Choose a proof schema following the provided guidance. You will use values from the chosen proof schema in the next step.

  2. Create a new provider in OpenID Bridge following the provided instructions. Use the following values from your Keycloak configuration:

    • Client ID
    • Client Secret
    • Redirect URI

On the sign-in page of your Keycloak integration, there should now be an option to sign in with OpenID Bridge.