Keycloak¶
Overview¶
VitalBridge uses Keycloak as its Identity and Access Management (IAM) platform.
Keycloak serves as the central identity provider for all platform users and is responsible for authentication, token issuance, session management, and role assignment.
The platform delegates identity management responsibilities to Keycloak rather than implementing authentication directly within application services.
Responsibilities¶
Keycloak is responsible for:
- User authentication
- Access token issuance
- Refresh token issuance
- Session management
- Password management
- Role assignment
- Identity federation
- Single Sign-On (SSO)
High-Level Architecture¶
flowchart TB
USER["User"]
KC["Keycloak"]
GATEWAY["API Gateway"]
SERVICES["Domain Services"]
USER --> KC
KC --> GATEWAY
GATEWAY --> SERVICES
Hold "Alt" / "Option" to enable pan & zoom
Authentication Flow¶
sequenceDiagram
participant User
participant Keycloak
participant Gateway
User->>Keycloak: Login
Keycloak-->>User: Access Token
User->>Gateway: API Request
Gateway->>Keycloak: Validate Token
Keycloak-->>Gateway: Token Valid
Gateway-->>User: Response
Hold "Alt" / "Option" to enable pan & zoom
Realms¶
VitalBridge currently operates within a dedicated Keycloak realm.
flowchart LR
REALM["VitalBridge Realm"]
USERS["Users"]
ROLES["Roles"]
CLIENTS["Clients"]
REALM --> USERS
REALM --> ROLES
REALM --> CLIENTS
Hold "Alt" / "Option" to enable pan & zoom
The realm acts as the security boundary for platform identities.
Clients¶
Keycloak manages multiple client applications.
Examples include:
- Super Admin Portal
- Tenant Admin Portal
- Provider Portal
- Patient Portal
- API Gateway
Token Types¶
flowchart LR
USER["User"]
ACCESS["Access Token"]
REFRESH["Refresh Token"]
USER --> ACCESS
USER --> REFRESH
Hold "Alt" / "Option" to enable pan & zoom
Access Token¶
Used to access platform APIs.
Refresh Token¶
Used to obtain new access tokens without re-authentication.