Configuring OpenID Connect
Open Archiefbeheer supports OpenID Connect (OIDC) login. In order for the application to function correctly, the correct roles/groups need to be configured in the OIDC provider (OP).
The applications has by default the following groups:
Record Manager
Reviewer
Archivist
Superuser
Co-reviewer
Administrator
The actions that a user can perform within the application depend on which group(s) they belong to.
When a user logs in with OIDC, the claims returned by the OP need to contain the group(s) to which the user should be added. The application will automatically create a user and add them to the group(s) with name matching the groups that are present in the claims.
Keycloak
When using keycloak as the OpenID Connect Provider, some configuration is needed to make sure that the claims contain the right groups.
Within a realm, this should be configured:
Within a client, the client roles should include:
Administrator
Record Manager
Reviewer
Co-reviewer
Archivist
Superuser
This can be configured under Clients and then after clicking on the desired client, under the tab Roles.
The following Keycloak groups should be created in the realm (under Groups).
Admins
OAB - Administrator
OAB - Record Manager
OAB - Reviewer
OAB - Co-reviewer
OAB - Archivist
Test Admins
Each group needs to have a mapping to a role. This can be configured under Groups, then clicking on the group, going to the tab Role Mapping and selecting the right role. For each group, the correct role mapping should be:
Group name: Admins → Role name: Superuser
Group name: OAB - Administrator → Role name: Administrator
Group name: OAB - Record Manager → Role name: Record Manager
Group name: OAB - Reviewer → Role name: Reviewer
Group name: OAB - Co-reviewer → Role name: Co-reviewer
Group name: OAB - Archivist → Role name: Archivist
For test environments:
Group name: Test Admins → Role name: Superuser