Keycloak
Keycloak is the open-source Identity and Access Management (IAM) tool used by FOSPS to handle Authorization and Authentication using OIDC/OAuth protocols.
Purpose
Keycloak provides:
- Authentication: User identity verification
- Authorization: Access control and permissions
- Single Sign-On (SSO): One login for multiple applications
- Identity Federation: Integration with external identity providers
- Token Management: JWT tokens for API access
Protocols Supported
OAuth 2.0
Authorization framework for:
- API access control
- Delegated authorization
- Client credentials flow
- Authorization code flow
OpenID Connect (OIDC)
Authentication layer on OAuth 2.0:
- User identity tokens
- ID token verification
- UserInfo endpoint
- Session management
Integration in FOSPS
Protected Resources
Keycloak secures access to:
- FHIR Server resources
- Focusing Manager APIs
- Supporting Material
- Administrative interfaces
User Types
Different authentication for:
- Patients: Accessing f(ePI) and IPS
- Healthcare Professionals: Clinical tools
- Administrators: Platform management
- Developers: API access, Focusing Inspector
Token Flow
- User authenticates with Keycloak
- Receives JWT access token
- Includes token in API requests
- Istio validates token
- Request forwarded to service
Realm Configuration
FOSPS uses Keycloak realms for:
- Multi-tenancy (different FOSPS instances)
- Role-based access control (RBAC)
- Client application registration
- Identity provider mapping
Security Features
- Multi-Factor Authentication (MFA)
- Brute force detection
- Session management
- Password policies
- Account lockout
Logging
Authentication events logged to Audit Log:
- Login attempts (success/failure)
- Token issuance
- Permission grants
- Session expiration
Related Concepts
- FOSPS - Platform architecture
- Istio - JWT validation
- Audit Log - Security logging
- FHIR Server - Protected resources
- Focusing Manager - Protected APIs