Manage login settings with Keycloak auth manager¶
This topic is related to the Keycloak Login Settings.
These settings appear when you create a client in Keycloak, and remain accessible afterward under the Access Settings tab.
They play an important role in limiting the client’s scope and reducing its potential impact area.
Keycloak Client Configuration Guide¶
This document explains how to properly configure a Keycloak client using your production HTTP(S) URL
(<https://yourcompany.airflow.com>).
Overview¶
Client configuration is a crucial part of enabling Keycloak authentication for your application. You must ensure that Client Authentication, Authorization, and the Authentication Flow are correctly configured.
Set Client Authentication to ON.
Set Authorization to ON.
For Authentication Flow values, refer to the table below.
Login settings (After Client is Created)¶
Field |
Value |
|---|---|
Standard Flow |
ON |
Direct Access Grants |
ON |
Implicit Flow |
OFF |
Service accounts roles |
ON (by default if configuration overridden from Keycloak) |
OAuth 2.0 Device Authorization Grant |
OFF |
OIDC CIBA Grant |
OFF |
To enable your application to authenticate users through Keycloak, you must configure the following fields in your Keycloak client:
Root URL
Home URL
Valid Redirect URIs
Valid Post Logout Redirect URIs
Web Origins
Admin URL (optional)
Login Settings (While Creating Client)/Access Settings (After Client is Created)¶
Field |
Production Value |
|---|---|
Root URL |
|
Home URL |
|
Valid Redirect URIs |
|
Valid Post Logout Redirect URIs |
|
Web Origins |
Logout settings (After Client is Created)¶
Field |
Value |
|---|---|
Front channel logout |
ON |
Notes on Keycloak Template Variables¶
${authBaseUrl}
This resolves to Keycloak’s own base URL, not your application’s URL. You should not use it as the Root URL for your Airflow application.