.. _devops_oidc:

==========================
Configuring OpenID Connect
==========================

Open Archiefbeheer supports OpenID Connect (OIDC) login. In order for the application 
to function correctly, the correct roles/groups need to be configured in the OIDC provider (OP).

The applications has by default the following groups:

* Record Manager
* Reviewer
* Archivist
* Superuser
* Co-reviewer
* Administrator

The actions that a user can perform within the application depend on which group(s) they belong to.

When a user logs in with OIDC, the claims returned by the OP need to contain the group(s) to which the user should be added. 
The application will automatically create a user and add them to the group(s) with name matching
the groups that are present in the claims.

Keycloak
========

When using keycloak as the OpenID Connect Provider, some configuration is needed to make sure that
the claims contain the right groups.

Within a realm, this should be configured:

* Within a client, the client roles should include:

  * Administrator
  * Record Manager
  * Reviewer
  * Co-reviewer
  * Archivist
  * Superuser

  This can be configured under **Clients** and then after clicking on the desired client, under the tab **Roles**.

* The following Keycloak groups should be created in the realm (under **Groups**). 

  * Admins
  * OAB - Administrator
  * OAB - Record Manager
  * OAB - Reviewer
  * OAB - Co-reviewer
  * OAB - Archivist
  * Test Admins

* Each group needs to have a mapping to a role. This can be configured under **Groups**, 
  then clicking on the group, going to the tab **Role Mapping** and selecting the right role.
  For each group, the correct role mapping should be:

  * Group name: **Admins** → Role name: **Superuser**
  * Group name: **OAB - Administrator** → Role name: **Administrator**
  * Group name: **OAB - Record Manager** → Role name: **Record Manager**
  * Group name: **OAB - Reviewer** → Role name: **Reviewer**
  * Group name: **OAB - Co-reviewer** → Role name: **Co-reviewer**
  * Group name: **OAB - Archivist** → Role name: **Archivist**

  For test environments:

  * Group name: **Test Admins** → Role name: **Superuser**