{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition"]},"redocly_category":"Journeys","product":"Identity Management","type":"markdown"},"seo":{"title":"Keycloak OIDC Authentication","description":"Everything about Mosaic Journeys, SDKs, and APIs","siteUrl":"https://developer.transmitsecurity.com/","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"keycloak-oidc-authentication","__idx":0},"children":["Keycloak OIDC Authentication"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge-wrapper"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["Client SDK"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["Backend API"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["Mobile approve"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["SSO"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["Sub-journey"]}]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Authenticates the user with Keycloak using OIDC redirect"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"description","__idx":1},"children":["Description"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This step authenticates the user by redirecting them to Keycloak–an external identity provider–for authentication using the OIDC Authorization Code flow. It is used for Just-In-Time (JIT) migration scenarios where users are gradually migrated from Keycloak to Mosaic as they log in."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Before using this step, configure a ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/external-connections/external_idp"},"children":["Keycloak connection"]}," in Integration Hub."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When the journey reaches this step, the user is redirected to Keycloak to authenticate. After successful authentication, Keycloak redirects the user back to Mosaic using the configured callback URL. The authentication result is stored in the output variable and can be used in subsequent steps (e.g., to create a user in Mosaic)."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If the authentication fails, the journey proceeds to the failure branch (if specified); otherwise, the journey is aborted and an error is sent to the client."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"configuration","__idx":2},"children":["Configuration"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"table"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Field"},"children":["Field"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Keycloak integration"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The Keycloak connector to use for authentication, as configured in Integration Hub."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Callback URL"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The URL where Keycloak redirects the user after authentication."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Scope"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["OAuth scopes to request from Keycloak. Default: ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["openid profile email"]},"."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Response mode"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Determines if the authorization response is returned in a query or a form post."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Advanced OIDC configuration"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Allows configuring ACR values, claims, and additional authorize parameters."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Output variable"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Name of the variable that stores the authentication result returned by Keycloak."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Error output variable"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Name of the variable that stores any errors returned by the step."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Failure behavior"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Determines the behavior in case of failure, which either aborts the journey or proceeds to a failure branch of the control flow (default)."]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Journey event data"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This step can be configured to record step input and output data, or a custom payload, which is then surfaced in journey events in Journey Analytics for diagnostic purposes. For details, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/getting-started/event_reporting"},"children":["Additional data reporting"]},"."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"example","__idx":3},"children":["Example"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Consider a migration journey where users authenticate via Keycloak's login page. The Keycloak OIDC Authentication step redirects the user to Keycloak. After successful authentication, the output variable (",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["keycloak_oidc_output"]},") contains user information, including ID token and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["user_info"]},", that can be used to create or update a user in Mosaic using the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/create_user"},"children":["Create user"]}," step."]}]},"headings":[{"value":"Keycloak OIDC Authentication","id":"keycloak-oidc-authentication","depth":1},{"value":"Description","id":"description","depth":2},{"value":"Configuration","id":"configuration","depth":2},{"value":"Example","id":"example","depth":2}],"frontmatter":{"markdown":{"toc":{"depth":2}},"seo":{"title":"Keycloak OIDC Authentication"}},"lastModified":"2026-05-26T08:58:26.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/orchestration/journeys/authenticate_keycloak_oidc","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}