Configuring an IAM solution (Keycloak)

This guide walks through configuring a minimal Keycloak setup to efficiently manage users, roles, and apps. Keycloak is an open-source Identity and Access Management (IAM) solution that secures apps and services with little to no coding.

Prerequisites

Before you begin, ensure you have the following:

Keycloak installed
Administrative access to the Keycloak server
Basic understanding of IAM concepts

Recommended Keycloak version: 22.xNote for Keycloak 26+: If using Keycloak version 26 or above, additional email configuration is required in the realm settings to prevent bad request errors when creating users. See the realm configuration section for details.

Recommended Keycloak setup

To configure a minimal required Keycloak setup, this guide covers the following steps:

Create a new realm

Define available roles and realm-level roles assigned to new users.

Create new users

Add clients

Configure the client authentication, valid redirect URIs, and enable the necessary flows.

Add mappers

Add service accounts

Set up admin, task management, process engine, scheduler, integration designer, runtime manager, organization manager, email gateway, and license service accounts.

Before starting, if you need further information or a broader understanding of Keycloak, refer to the official Keycloak documentation:

Keycloak documentation

Creating a new realm

A realm is a space where you manage objects, including users, applications, roles, and groups. Creating a new realm is the first step in setting up Keycloak. Follow the steps below to create a new realm in Keycloak:

Create Realm

In the top left corner dropdown menu, click Manage realms then click Create realm.

If you are logged in to the master realm, this dropdown menu lists all the realms created.

Enter Realm Details

Enter a realm name and click Create.

Configure Realm Settings

Tokens → Access Token Lifespan: Set to 30 Minutes (recommended).

Access token lifespan setting in realm configuration

Login → Email settings: Configure email authentication settings.

For Keycloak versions 26 and above: You must configure the email settings in the Login tab to avoid bad request errors when creating users in FlowX Designer. Make sure to enable Email as username and Login with email toggles as shown in the realm settings.

Verify your realm is created correctly: navigate to the realm selector dropdown in Keycloak and confirm your new realm appears in the list.

Creating new users

Creating new users is a fundamental part of managing access within Keycloak. Follow these steps to create a new user in a realm and generate a temporary password:

Navigate to Users

In the left menu bar, click Users to open the user list page.

Add a New User

Click Create new user.Fill in the user details and set Email Verified to Yes.

Set Temporary Password

Save the user, go to the Credentials tab, and set a temporary password. Ensure the Temporary checkbox is checked.

Setting temporary password in Keycloak Credentials tab

Verify the user is created: navigate to Users and confirm the new user appears in the list with Email Verified set to Yes.

Password policy

Available starting with FlowX.AI 5.5.0

FlowX.AI enforces the following password policy for all user accounts:

Rule	Requirement
Minimum length	8 characters
Maximum length	64 characters
Uppercase	At least one uppercase letter
Lowercase	At least one lowercase letter
Number	At least one digit
Special character	At least one of `!@#$%^&*()_+-`
Additional	Cannot match the user’s email address

Configure your Keycloak realm password policy to match these requirements. In Keycloak, go to Authentication → Policies → Password Policy and add the corresponding policy rules.

Adding clients

A client represents an application instance that is associated with a specific realm.

Adding an OAuth 2.0 client

Add a client named flowx-platform-authenticate, used for login, logout, and refresh token operations by web and mobile apps.

Navigate to Clients

Click Clients in the top left menu, then click Create client.

Keycloak Clients page with Create client button

Configure General Settings

In the General Settings tab configure the following properties:

Set a client ID to {your-client-name}-authenticate.
Set the Client type to OpenID Connect.

Client general settings with Client ID and Client type

Configure Capability Config

Now click Next and configure the Capability config details:

Enable Direct Access Grants.
Enable Implicit Flow Enabled.

Capability config with Direct Access Grants and Implicit Flow enabled

Set Valid Redirect URIs

Click Next and configure Login settings:

Set Valid redirect URIs, specifying a valid URI pattern that a browser can redirect to after a successful login or logout, simple wildcards are allowed.

Configure Additional Settings

After creating the client, scroll down in the Settings tab and configure additional settings - Logout Settings:

Front Channel Logout: Toggle OFF.
Backchannel Logout Session Required: Toggle OFF.

Logout settings with Front Channel Logout and Backchannel toggled OFF

Add Mappers

Add mappers to {your-client-name}-authenticate client.

For instructions on adding mappers and understanding which mappers to add to your clients, refer to the section on Adding Protocol Mappers.

Adding an Authorizing client

The flowx-platform-authorize client is used for opaque token introspection. In 5.1.x, all services validate tokens by calling the Keycloak introspection endpoint using this client’s credentials.

Create and configure the {your-client-name}-platform-authorize client to authorize REST requests to microservices and Kafka.

Create the Client

Enter the client ID ({your-client-name}-platform-authorize).Set Client type to OpenID Connect.

Configure Capability Config

Client Authentication: Toggle ON

This setting defines the type of the OIDC client. When enabled, the client type is set to “confidential access.” When disabled, it is set to “public access”.

Authorize client with Client Authentication toggled ON

Set Valid Redirect URIs

Valid Redirect URIs: Populate this field with the appropriate URIs. Save the configuration.

Configure Additional Settings

After creating the client, scroll down in the Settings tab and configure additional settings - Logout Settings:

Backchannel Logout Session Required: Toggle OFF.
Front Channel Logout: Toggle OFF.

Once you have configured these settings, the {your-client-name}-platform-authorize client will be created and can be used to authorize REST requests to microservices and Kafka within your app.

Example configuration for microservices

Below is an example of a minimal security configuration for microservices in 5.1.x. Services validate incoming tokens using opaque-token introspection against the Keycloak introspect endpoint. Services that make outbound authenticated calls also configure a service account via the OAuth2 client registration.

security:
  type: oauth2
  oauth2-client: enabled          # Only for services that make outbound calls
  oauth2:
    base-server-url: https://keycloak.example.com   # Base URL of the Keycloak server
    realm: your-realm-name                           # Keycloak realm name
    client:
      client-id: flowx-platform-authorize            # Client for token introspection
      client-secret: CLIENT_SECRET
    service-account:
      admin:
        client-id: flowx-{service-name}-sa           # e.g., flowx-process-engine-sa
        client-secret: SA_CLIENT_SECRET

spring:
  security:
    oauth2:
      resource-server:
        opaque-token:
          introspection-uri: ${security.oauth2.base-server-url}/realms/${security.oauth2.realm}/protocol/openid-connect/token/introspect
          client-id: ${security.oauth2.client.client-id}
          client-secret: ${security.oauth2.client.client-secret}
      client:
        registration:
          mainIdentity:
            provider: mainAuthProvider
            client-id: ${security.oauth2.service-account.admin.client-id}
            client-secret: ${security.oauth2.service-account.admin.client-secret}
            authorization-grant-type: client_credentials
            client-authentication-method: client_secret_post
        provider:
          mainAuthProvider:
            token-uri: ${security.oauth2.base-server-url}/realms/${security.oauth2.realm}/protocol/openid-connect/token

Configuration Key	Value/Example	Description
`security.type`	`oauth2`	Validates tokens via opaque-token introspection.
`security.oauth2-client`	`enabled`	Enables the OAuth2 client for service-to-service calls.
`security.oauth2.base-server-url`	`https://keycloak.example.com`	Base URL of the Keycloak server.
`security.oauth2.realm`	`your-realm-name`	The Keycloak realm name.
`security.oauth2.client.client-id`	`flowx-platform-authorize`	Client ID used for opaque-token introspection.
`security.oauth2.client.client-secret`	`CLIENT_SECRET`	Client secret for introspection.
`security.oauth2.service-account.admin.client-id`	`flowx-{service-name}-sa`	Service account client ID (e.g., `flowx-process-engine-sa`).
`spring.security.oauth2.client.provider.mainAuthProvider.token-uri`	`${security.oauth2.base-server-url}/realms/${security.oauth2.realm}/protocol/openid-connect/token`	Token endpoint in the realm.

Adding protocol mappers

Protocol mappers in Keycloak allow you to transform tokens and documents, enabling actions such as mapping user data into protocol claims and modifying requests between clients and the authentication server. This provides greater customization and control over the information contained in tokens and exchanged during authentication processes.

To enhance your clients’ functionality, add the following common mappers:

Group Membership mapper (realm-groups)
- Maps user groups to the authorization token.
User Attribute mapper (business filter mapper)
- Maps custom attributes, for example, mapping the businessFilters list, to the token claim.
User Realm role (realm-roles)
- Maps a user’s realm role to a token claim.

The mappers should be configured to be included in the token introspection response. Previously, mappers were primarily added to the /userinfo endpoint, but modern Keycloak versions support adding them to token introspection, which is the recommended approach for better security and performance.

By incorporating these mappers, you can further customize and enrich the information contained within your tokens, ensuring they carry the necessary data for your applications.

Group Membership mapper

Steps to add a Group Membership mapper:

Navigate to Clients

From the Keycloak admin console, go to Clients and select your desired client.

Select Client Scopes

In the client settings, click on Client Scopes.Select the dedicated client scope: {your-client-name}-authenticate-dedicated to open its settings.

Client Scope

Make sure the Mappers tab is selected within the dedicated client scope.

Add a New Mapper

Click Add Mapper. From the list of available mappers, choose Group Membership.

Add Group Membership mapper from predefined list

Provide Mapper Details

Name: Enter a descriptive name for the mapper to easily identify its purpose, for example realm-groups.Token Claim Name: Set the token claim name, typically as groups, for including group information in the token.Add to ID Token: Toggle OFF.Add to token introspection: Toggle ON.

This group membership mapper includes the user’s group information in the token for authorization purposes.

User Attribute mapper

To include custom attributes such as business filters in the token claim, follow these steps to add a user attribute mapper:

Navigate to Client Scopes

From the Keycloak admin console, go to Clients and select your desired client.Click on Client Scopes and choose {your-client-name}-authenticate-dedicated to open its settings.Ensure the Mappers tab is selected.

Client scopes Mappers tab for attribute mapper

Add a New Mapper

Click Add mapper. From the list of available mappers, select User Attribute.

Provide Mapper Details

Mapper Type: Select User Attribute.
Name: Enter a descriptive name for the mapper, such as “Business Filters Mapper”.
User Attribute: Enter businessFilter.
Token Claim Name: Enter attributes.businessFilters.
Add to access token: Toggle ON.
Add to token introspection: Toggle ON (recommended).
Multivalued: Toggle ON.
Aggregate attribute values: Toggle ON.

This user attribute mapper includes the custom attribute “businessFilters” in the token claim under the name “attributes.businessFilters”, making business filter information available within your app. For more information about business filters, refer to the following section:

Business filters

User realm role mapper

To add a roles mapper to the {your-client-name}-authenticate client, so roles will be available in the OAuth user info response, follow these steps:

Navigate to Client Scopes

Add a New Mapper

Click Add Mapper. From the list of available mappers, select User Realm Role.

User Realm Role mapper in predefined list

Provide Mapper Details

Name: Enter a descriptive name for the mapper, such as “Roles Mapper”.
Mapper Type: Select User Realm Role.
Token Claim Name: Enter roles.
Add to ID Token: Toggle OFF.
Add to access token: Toggle OFF.
Add to token introspection: Toggle ON.

This roles mapper includes the user’s assigned realm roles in the OAuth user info response under the claim name “roles”.

You can repeat these steps to add multiple roles mappers if you need to include multiple realm roles in the token claim.

Creating a basic client scope

To ensure consistent token configuration across all clients, you should create a default client scope named “basic” with predefined mappers.

Navigate to Client Scopes

From the Keycloak admin console, go to Client Scopes in the left menu.Click Create client scope.

Configure Client Scope Settings

Name: Enter basic.
Type: Select Default.
Protocol: Select OpenID Connect.
Display on consent screen: Toggle OFF.
Include in token scope: Toggle ON.

Click Save.

Add Predefined Mappers

In the newly created basic client scope, navigate to the Mappers tab.Add the following predefined mappers:

sub mapper:
- Click Add mapper → From predefined mappers
- Select sub
- Click Add
auth_time mapper:
- Click Add mapper → From predefined mappers
- Select auth_time
- Click Add

Assign to All Clients

After creating the basic client scope, assign it to all your clients:

Navigate to Clients in the left menu
For each client (e.g., flowx-platform-authenticate, flowx-platform-authorize, and all service accounts):
- Open the client settings
- Go to the Client Scopes tab
- Click Add client scope
- Select basic from the list
- Choose Default as the assignment type
- Click Add

The basic client scope ensures that all clients have consistent token claims for subject identification (sub) and authentication time (auth_time), which are essential for proper token validation and session management.

Examples

To request a login token:

curl --location --request POST 'http://localhost:8080/realms/flowx/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=admin@flowx.ai' \
--data-urlencode 'password=password' \
--data-urlencode 'client_id= your-client-name-authenticate'

Refresh token

To refresh an existing token:

curl --location --request POST 'http://localhost:8080/realms/flowx/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'client_id= your-client-name-authenticate' \
--data-urlencode 'refresh_token=ACCESS_TOKEN'

User info

To retrieve user information:

curl --location --request GET 'localhost:8080/realms/flowx/protocol/openid-connect/userinfo' \
--header 'Authorization: Bearer ACCESS_TOKEN' \

Adding service accounts

What is a service account?A service account grants direct access to the Keycloak API for a specific component. Each client can have a built-in service account that allows it to obtain an access token.

To use this feature you must enable the Client authentication (access type) for your client. When you do this, the Service Accounts Enabled switch will appear.

Realm architecture

In 5.1.x, FlowX.AI uses a single-realm architecture in Keycloak. All clients — including user-facing clients (flowx-platform-authenticate, flowx-platform-authorize) and service account clients — are created in the same realm. The service accounts described in this section should be created in the user realm (the realm you created in the Creating a new realm section). Each service authenticates using the client_credentials grant type and references the realm via the security.oauth2.realm configuration property.

Available starting with FlowX.AI 5.4.0 — A two-realm architecture is introduced where service accounts are moved to a dedicated service accounts realm, identified by a UUID. This is not applicable to 5.1.x deployments.

Admin service account

The admin service account is used by the admin microservice to connect with Keycloak, enabling user and group management features within the FlowX.AI Designer. Steps to add an Admin service account:

Create the Client

Navigate to Clients and select Create client.Enter a Client ID for your new client.

Configure Capability Config

Enable Client authentication (access type).
Disable Standard flow.
Disable Direct access grants.
Enable Service accounts roles.

Service account capability config with Client authentication and Service accounts roles enabled

Configure Additional Settings

After creating the client, scroll down in the Settings tab and configure additional settings - Logout Settings:

Backchannel Logout Session Required: Toggle OFF.
Front Channel Logout: Toggle OFF.

Logout settings toggled OFF for service account

Configure Service Account Roles

In the newly created client, navigate to the Service accounts roles tab.

Important: The admin service account no longer requires client roles from realm-management. If you have existing roles assigned, remove them to follow the updated security model.

The admin service account is now configured to work without specific client roles. Authentication and authorization will be managed through the service account token itself.

The admin service account does not require mappers or specific client roles. Authentication is handled through the service account token itself.

Task Management service account

The task management service account facilitates process initiation and enables the use of the task management plugin (requiring the FLOWX_ROLE and role mapper), and access data from Keycloak. Steps to Add a Task Management service account:

Create the Service Account

Follow steps 1-3 as in the Admin Service account configuration: Admin service account.

Assign Necessary Roles

In the newly created client, navigate to the Service accounts roles tab.Click Assign role and in the Filter field, select Filter by clients.Assign the following service account client roles from realm-management:

view-users
query-users
query-groups

Remove any other roles if they are assigned (such as view-realm). The task management service account should only have these three client roles.

Assigning realm-management client roles to task management SA

The task management plugin service account requires a realm roles mapper to function correctly. Make sure to configure this to ensure proper operation.

In the end, you should have something similar to this:

Task management SA with assigned client roles

Add a Realm Roles Mapper

In the newly created task management plugin service account, select Client Scopes:Click on {your-client-name}-service-account to open its settings.

Ensure the Mappers tab is selected within the dedicated client scope.

Click Add mapper. From the list of available mappers, select User Realm Role.

Adding User Realm Role mapper to task management SA

Configure the Mapper

Name: Enter a descriptive name for the mapper to easily identify its purpose, for example realm-roles.Token Claim Name: Set it to roles.Disable Add to ID token.

Realm roles mapper configuration for task management SA

Click Save.

Add the Service Account Realm Role

Assign the FLOWX_ROLE service account realm role (used to grant permissions for starting processes).

The FLOWX_ROLE is used to grant permissions for starting processes in the FlowX.AI Designer platform. By default, this role is named FLOWX_ROLE, but its name can be changed from the application configuration of the Engine by setting the following environment variable:FLOWX_PROCESS_DEFAULTROLES

Process engine service account

The process engine requires a service account for service-to-service authentication and authorization.

This service account is also needed to be able to use Start Catch Event node.

Create the Client

Follow steps 1-3 as in the Admin Service Account Configuration: Admin service account.

Configure Service Account Roles

In the newly created client, navigate to the Service accounts roles tab.The process engine service account does not require client roles from realm-management. Authentication and authorization are managed through the service account token and the SA_FLOWX realm role.

Add a Realm Roles Mapper

In the newly created process engine service account, select Client Scopes.Click on {your-client-name}-service-account to open its settings.Ensure the Mappers tab is selected within the dedicated client scope.Click Add mapper. From the list of available mappers, select User Realm Role.Configure the mapper:

Name: Enter realm-roles
Token Claim Name: Set it to roles
Add to ID token: Toggle OFF
Add to token introspection: Toggle ON

Adding realm roles mapper to process engine SA

Scheduler service account

This service account is used for Start Timer Event node. The registered timers in the scheduler require sending a process start message to Kafka. Authentication is also necessary for this operation.

The configuration is similar to the process engine service account:

Create the Client

Follow steps 1-3 as in the Admin Service Account Configuration: Admin service account.

Configure Service Account Roles

In the newly created client, navigate to the Service accounts roles tab.The scheduler service account does not require client roles from realm-management. Authentication and authorization are managed through the service account token and the SA_FLOWX realm role.

Add a Realm Roles Mapper

Add a realm-roles mapper (as shown in the example for process-engine service account):In the scheduler service account, select Client Scopes.Click on {your-client-name}-service-account to open its settings.Ensure the Mappers tab is selected within the dedicated client scope.Click Add mapper. From the list of available mappers, select User Realm Role.Configure the mapper:

Name: Enter realm-roles
Token Claim Name: Set it to roles
Add to ID token: Toggle OFF
Add to token introspection: Toggle ON

Integration Designer service account

The Integration Designer service account is used by the integration designer microservice to interact securely with Keycloak, enabling it to manage various integrations within the FlowX.AI platform. Steps to set up an Integration Designer service account:

Create the Client

In Keycloak, navigate to Clients and select Create client.
Enter a Client ID for your new client (e.g., flowx-integration-designer-sa).

Configure Client Capabilities

Enable Client authentication under access type.
Enable Service accounts roles to allow the account to manage integrations.

Integration Designer SA capability config

Save the Client Configuration

Skip the Login settings page.
Click Save to apply the configuration.

Assign Service Account Client Roles

In the newly created client, navigate to the Service accounts roles tab.Click Assign role and in the Filter field, select Filter by clients.Assign only the view-users role from realm-management:

Remove any other roles if they are assigned. The integration designer service account should only have the view-users client role.

Authorization System service account

The Authorization System service account is used for managing user authentication and authorization operations, including user management, realm configuration, and access control within the FlowX.AI platform. Steps to set up an Authorization System service account:

Create the Client

Navigate to Clients and select Create client.Enter a Client ID for your new client (e.g., flowx-authorization-system-sa).

Configure Capability Config

Enable Client authentication (access type).
Disable Standard flow.
Disable Direct access grants.
Enable Service accounts roles.

Configure Additional Settings

After creating the client, scroll down in the Settings tab and configure additional settings - Logout Settings:

Backchannel Logout Session Required: Toggle OFF.
Front Channel Logout: Toggle OFF.

Assign Service Account Client Roles

view-users
query-users
manage-users
manage-realm

These roles are essential for the Authorization System service account to perform user and realm management operations within Keycloak.

Runtime manager service account

The runtime manager service account is used by both Application Manager and Runtime Manager services to connect with Keycloak and perform export/import operations for builds, application versions, or other resource-specific tasks. Steps to add a Runtime manager service account:

Create the Client

Navigate to Clients and select Create client.Enter a Client ID for your new client.

Configure Capability Config

Enable Client authentication (access type).
Disable Standard flow.
Disable Direct access grants.
Enable Service accounts roles.

Configure Additional Settings

After creating the client, scroll down in the Settings tab and configure additional settings - Logout Settings:

Backchannel Logout Session Required: Toggle OFF.
Front Channel Logout: Toggle OFF.

Configure Service Account Roles

In the newly created client, navigate to the Service accounts roles tab.

Important: The runtime manager service account no longer requires specific realm roles. If you have existing roles assigned (such as ROLE_TASK_MANAGER_HOOKS_ADMIN, ROLE_ADMIN_MANAGE_PROCESS_ADMIN, etc.), remove them to follow the updated security model.

The runtime manager service account is now configured to work without specific realm roles. Authentication and authorization for export/import operations will be managed through the service account token itself.

Organization manager service account

Available starting with FlowX.AI 5.5.0

The organization manager service account is used by the organization manager microservice to handle organization and workspace management within the FlowX.AI platform.

Create the Client

Follow steps 1-3 as in the Admin Service Account Configuration: Admin service account.Enter a Client ID of flowx-organization-manager-sa.

Configure Service Account Roles

In the newly created client, navigate to the Service accounts roles tab.The organization manager service account does not require specific client roles from realm-management. Authentication and authorization are managed through the service account token and the SA_FLOWX realm role.

Email gateway service account

Available starting with FlowX.AI 5.4.0

The email gateway service account is used by the email gateway microservice to manage email sending and receiving operations within the FlowX.AI platform.

Create the Client

Follow steps 1-3 as in the Admin Service Account Configuration: Admin service account.Enter a Client ID of flowx-email-gateway-sa.

Assign Service Account Client Roles

view-users

Remove any other roles if they are assigned. The email gateway service account should only have the view-users client role.

License service account

Available starting with FlowX.AI 5.5.0

The license service account is used by the license microservice to manage license validation and enforcement within the FlowX.AI platform.

Create the Client

Follow steps 1-3 as in the Admin Service Account Configuration: Admin service account.Enter a Client ID of flowx-license-sa.

Assign Service Account Client Roles

view-users

Remove any other roles if they are assigned. The license service account should only have the view-users client role.

Configuring SA_FLOWX realm role

The SA_FLOWX role is a realm-level role that should be assigned to all service accounts to ensure proper authentication and authorization across the FlowX.AI platform.

Create the SA_FLOWX Realm Role

In the Keycloak admin console, navigate to Realm roles in the left menu.
Click Create role.
Enter SA_FLOWX as the Role name.
Add a description: “Service account role for FlowX.AI platform services”.
Click Save.

Assign SA_FLOWX to Service Accounts

For each service account listed below, assign the SA_FLOWX realm role:

process-engine
flowx-admin-sa
runtime-manager-sa
flowx-integration-designer-sa
scheduler-core
flowx-authorization-system-sa
flowx-organization-manager-sa
flowx-email-gateway-sa
flowx-license-sa
task-manager (if applicable)

To assign the role to each service account:

Navigate to Clients and select the service account client.
Go to the Service accounts roles tab.
Click Assign role.
In the Filter field, select Filter by realm roles.
Find and select SA_FLOWX from the list.
Click Assign.

Assigning SA_FLOWX realm role to a service account

Verify Role Assignment

After assigning the role to all service accounts, verify that each service account has the SA_FLOWX role listed in its Service accounts roles tab.

The SA_FLOWX role ensures consistent authentication and authorization behavior across all FlowX.AI platform services. Make sure all service accounts have this role assigned for proper system operation.

Troubleshooting

Bad request error when creating users in FlowX Designer

Keycloak 26+ only: You must configure email settings in the Login tab of realm settings. Toggle ON both Email as username and Login with email. Without this configuration, user creation requests from FlowX Designer fail with a bad request error.

Realm name conflict

Ensure the realm name is unique within your Keycloak instance. Duplicate realm names cause creation failures.

Service account authentication fails

Verify the following:

The service account client has Client authentication enabled and Service accounts roles toggled ON.
The SA_FLOWX realm role is assigned to the service account.
The client secret in your deployment matches the secret in Keycloak (Clients → select client → Credentials tab).
The security.oauth2.realm configuration points to the correct realm.

Token missing groups, roles, or business filters

Check that the required protocol mappers are configured on the correct client scope:

Group Membership mapper with Add to token introspection toggled ON.
User Realm Role mapper with Add to token introspection toggled ON.
User Attribute mapper for business filters with Multivalued and Aggregate attribute values toggled ON.

Task auto-assignment not working

The task management service account requires view-users, query-users, and query-groups client roles from realm-management. Verify these are assigned in the Service accounts roles tab.

Summary

By following these steps, you have a minimal Keycloak setup to manage users, roles, and apps efficiently. For more detailed configurations and advanced features, refer to the official Keycloak documentation.

Access Management overview

User roles, groups, and access control

Business filters

Data-level access control using business filters

Keycloak documentation

Official Keycloak documentation

Microservices

Plugins

Observability

Access management

​Prerequisites

​Recommended Keycloak setup

Keycloak documentation

​Creating a new realm

​Creating new users

​Password policy

​Adding clients

​Adding an OAuth 2.0 client

​Adding an Authorizing client

​Example configuration for microservices

​Adding protocol mappers

​Group Membership mapper

​User Attribute mapper

Business filters

​User realm role mapper

​Creating a basic client scope

​Examples

​Login

​Refresh token

​User info

​Adding service accounts

​Realm architecture

​Admin service account

​Task Management service account

​Process engine service account

​Scheduler service account

​Integration Designer service account

​Authorization System service account

​Runtime manager service account

​Organization manager service account

​Email gateway service account

​License service account

​Configuring SA_FLOWX realm role

​Troubleshooting

​Summary

​Related resources

Access Management overview

Business filters

Keycloak documentation

Prerequisites

Recommended Keycloak setup

Creating a new realm

Creating new users

Password policy

Adding clients

Adding an OAuth 2.0 client

Adding an Authorizing client

Example configuration for microservices

Adding protocol mappers

Group Membership mapper

User Attribute mapper

User realm role mapper

Creating a basic client scope

Examples

Login

Refresh token

User info

Adding service accounts

Realm architecture

Admin service account

Task Management service account

Process engine service account

Scheduler service account

Integration Designer service account

Authorization System service account

Runtime manager service account

Organization manager service account

Email gateway service account

License service account

Configuring SA_FLOWX realm role

Troubleshooting

Summary

Related resources