Resources & Remarks

Always keep at the same state! enaio - official help: https://help.optimal-systems.com/enaio/v910/admin/administrator/en/dienste/idprovider.htm
... with first 3 sections of this page.

yuuvis Impulse: https://wiki.optimal-systems.de/pages/viewpage.action?spaceKey=MAN&title=Keycloak

yuuvis Momentum & enaio: https://wiki.optimal-systems.de/display/EnaioServices/Keycloak

• Antje: page started as collection of existing information, has to be split later on in yuuvis and enaio part and translated.
• Antje: installation guide copied from official enaio documentation (English version) and modified for yuuvis.
• Antje: information for yuuvis added (from Oktopus wiki)

Modification History

Suppressing Duplicate Information on Roles

Per default, the access token generated by Keycloak contains the roles of the currently logged-in user. The AUTHENTICATION service creates an internal JSON Web Token (JWT) that includes the unchanged Keycloak access token. However, in order to allow a separate role management, the AUTHENTICATION service requests the roles of the corresponding in a separate request and adds them to the internal JWT in addition to the Keycloak access token. The roles stored in the original Keycloak access token are a duplicate of the information and are always ignored. In order to reduce the size of the JWT, their inclusion in the Keycloak access token can be suppressed by applying the configuration adjustment described below. Thus, for any request to the yuuvis® Momentum API, the request header size is reduced.

• Call the Keycloak Admin Console: http://localhost:8080/auth/admin/ with administrator login.
• Select the realm for which the configuration should is to be changed.
• Open the Client Scopes.
• Open the roles Scope scope.
• In the Mappers tab, delete the entries realm roles and client.

These configuration steps have to be applied to each realm in each Keycloak instance where in which to suppress the inclusion of role information in the Keycloak access token.