About OpenID connect
About OpenID connect
Rhize uses OpenIDConnect to connect to a Keycloak server to authenticate users and manage Role-based access controls.
Open ID Connect is a security architecture that uses JSON Web Tokens (JWTs) to access secured resources. JWTs are issued by Keycloak. Users can also be managed in Keycloak. Or you can manage users in other services such as LDAP, Google, Azure AD, Facebook, etc.
The general authentication flow is as follows:
- When a user accesses the user interface, the UI redirects to Keycloak.
- Depending on how it is configured, Keycloak redirects to the authentication provider so that the user can log in.
- If the user is successfully authenticated, Keycloak redirects back to the user interface with an authentication code in the URL parameters.
- The UI calls a secure API to exchange the authentication code for a JWT.
- The UI then uses that JWT to access secure APIs such as the Rhize GraphQL API.
The Rhize DB, libreBaas, has the public key from Keycloak, which can be used to verify the JWT.
sequenceDiagram actor User participant UI as Web UI participant Rhize as Rhize DB participant KC as Keycloak participant AP as AuthProvider Rhize->>KC: Get Public Key User->>UI: Log In UI-->>KC: Redirect KC-->>AP: Redirect AP->>User: Credentials AP-->>KC: Auth Result KC-->>UI: Redirect with Code UI->>KC: Exchange Code for Token KC->>UI: Reply with id_token and access_token UI->>Rhize: Access API with Bearer Token Rhize->>Rhize: Verify Token with Public Key from Keycloak