Skip to main content

OpenID Connect (OIDC) Keycloak example

This short tutorial shows how to set up Studo Flow's OIDC login provider with Keycloak. Users from the Keycloak's realm then should be able to log in into Studo Flow.

You can follow this tutorial to configure your Keycloak, or use it as a reference point to configure a different OIDC compatible identity provider.


This tutorial assumes the following setup:

  • A Keycloak server instance
  • A provisioned Flow server with a valid licence and reachable web interface
  • A working networking setup where the Flow server and Keycloak can communicate


Create a Keycloak client

First we will configure Keycloak by creating a client in the Keycloak web UI for Flow.

  1. Select the desired Keycloak realm, click on Clients then click on Create.
  2. Set a Client ID (for this tutorial we will use "studo-flow").
  3. As Client Protocol use "openid-connect".
  4. As Root URL use the following pattern "https://<FLOW_DOMAIN>" (for this tutorial we will use
  5. Click Save.
  6. Set name and description to e.g. "Studo Flow" (these values don't impact functionality).
  7. Make sure Enabled is true.
  8. Set Access Type to "confidential".
  9. Set Standard Flow Enabled and Direct Access Grants Enabled to true.
  10. Set Front Channel Logout to false.
  11. Set Valid Redirect URIs to "/*".
  12. Set Backchannel Logout Session Required to true.
  13. Click Save.
  14. Click on the Client Scopes tab, and make sure that Assigned Default Client Scopes has the scope "email".
  15. Click on the Credentials tab and make sure that Client Authenticator is set to "Client Id and Secret".

Setup Flow to use the newly created Keycloak client

Go to your Flow server's web UI, and log in as an admin user.

  1. Go to System Configuration and click Configure login providers in the toolbar.
  2. Scroll down to OidcLoginProvider, set enable to "true" and click Save configuration.
  3. Set clientId to your newly created client's id (we will use "studo-flow").
  4. Set clientSecret to your client's secret (You can find this on the Credentials tab from step 15).
  5. Set openIdConfigUrl to your Keycloak's OpenID Endpoint Configuration URL. (In Keycloak you can find this on the General tab of the realm's configuration page. For this tutorial we will use Studo's Keyloak instance:

Getting the userId's right

Flow gets all it's users from its importers. The userId of these users must either match

  • the subject ("sub" field in the userinfo response) of the Keycloak user
  • the username ("preferred_username" field in the userinfo response) of the Keycloak user

Configure the userIdField according to your needs.