Set up the resources
Create resources items on Keycloak to represent the features on the whole Greenstand platform.
1. Install Keycloak
2. Create realm
Create a realm with the name: greenstand
3. Create front end client
For example: the web map client that can login as a dashboard to do some map-dedicated management.
Create a client with name webmap
Settings for this client:
Root URL: the url of the web-map-clients dashboard, e.g. http://localhost:3000/admin
Such as: web-map-viewer , web-map-operator
6. Create client for resource
Create a client with name: api-services
With settings:
Authorization enabled: true
Create resources and scope on this client.
Create resources, e.g. web-map-theme
Create authorization scope, e.g. view edit
Create permission items, for example, the permission to view web-map-theme
Create policy to build the permission rule, for example, the policy that allows role web-map-viewer to be able to view web-map-theme.
7. Test the permission:
There is a tool to test if everthing is fine: api-services -> authorization -> evaluate
8. Integrate with real client
The group represents the organzaitons on Greenstand, like the Freetown, TheHaitiTreeProject.
Keycloak needs to be aware of the organization for a user, so it can decide if a user has the permission to operate resources belonging to some organization.
Open the group menu and create group.
Assign the group an attribute: {'organization_id': xxx} that should be the same as the number in the DB for that organization.
To fetch user's organizations id on the client-side:
Assign the group just created to the user.
Open the client, say, webmap
Open mapper and click create
Create the mapper with settings as below:
user attribute: organization_id
Token claim name: organization_id
Now the user's organization_id attribute will be shown in the user's information sent to the client.
On Keycloak, there are export and import functions. Here is an exported realm for Greenstand: