The Keycloak Extension is a service that allows to build the identity provider solution for the Issuer application. It composes of an official Keycloak image and integrates a custom layer with tailored logic to comply with the requirement of the technical specification OpenID4VCI DOME profile (Issuer-initiated flow)
As a key part of the Credential Issuer solution, the Keycloak extension is designed to work with the following dependencies:
To use the Credential Issuer, you will need the following components:
- Issuer-UI
- Issuer-API
- Issuer Keycloak Plugin
- Postgres Database
- SMTP Email Server
For each dependency, you can refer to their respective repositories for detailed setup instructions. We offer a Docker image to run the application. You can find it in Docker Hub.
Here, you can find an example of how to run the application with all the required services and configuration.
Issuer UI is the user interface for the Credential Issuer. Refer to the Issuer UI Documentation for more information on configuration variables.
The Server application of the Credential Issuer. Refer to the Issuer API Documentation for more information on configuration variables.
The application needs key custom environment variables to be configured
- ISSUER_API_URL: internal Issuer API url
- ISSUER_API_EXTERNAL_URL external Issuer API url
- PRE_AUTH_LIFESPAN: expiration of the pre-authorized code (Credential Offer)
- PRE_AUTH_LIFESPAN_TIME_UNIT: unit of the expiration of the pre-authorized code
- TX_CODE_SIZE: size of the PIN code
- TX_CODE_DESCRIPTION: description message for the PIN entry
- TOKEN_EXPIRATION: expiration of the deferred flow in seconds
docker run -d \
--name issuer-keycloak \
-e KEYCLOAK_ADMIN=admin \
-e KEYCLOAK_ADMIN_PASSWORD=admin \
-e KC_HOSTNAME_URL=https://localhost:8443 \
-e KC_HOSTNAME_ADMIN_URL=https://localhost:8443 \
-e KC_HTTPS_CLIENT_AUTH=request \
-e KC_DB=postgres \
-e KC_DB_USERNAME=postgres \
-e KC_DB_PASSWORD=postgres \
-e KC_DB_URL=jdbc:postgresql://issuer-keycloak-postgres/cred \
-e ISSUER_API_URL=http://issuer-api:8080 \
-e ISSUER_API_EXTERNAL_URL=http://issuer-api-external.com \
-e PRE_AUTH_LIFESPAN=10 \
-e PRE_AUTH_LIFESPAN_TIME_UNIT=MINUTES \
-e TX_CODE_SIZE=4 \
-e TX_CODE_DESCRIPTION="Enter the PIN code" \
-e TOKEN_EXPIRATION=2592000 \
-p 7001:8080 \
-p 8443:8443 \
in2workspace/issuer-keycloak-plugin:v1.1.0
You can find more information in the official Keycloak documentation
Postgres is used as the database for Keycloak. You can find more information in the official documentation.
docker run -d \
--name issuer-keycloak-postgres \
-e POSTGRES_DB=cred \
-e POSTGRES_USER=postgres \
-e POSTGRES_PASSWORD=postgres \
-p 5433:5432 \
-v postgres_data:/var/lib/postgresql/data \
postgres:16.3Ensure you have the volume postgres_data created before running the postgres container:
docker volume create postgres_dataAn SMTP Email Server of your choice. It must support StartTLS for a secure connection. Refer to the Issuer API Documentation for more information
If you want to contribute to this project, please read the CONTRIBUTING.md file.
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
This project is currently in development.
For any inquiries or further information, feel free to reach out to us:
- Email: In2 Dome Support
- Name: IN2, Ingeniería de la Información
- Website: https://in2.es
This project is part of the IN2 strategic R&D, which has received funding from the DOME project within the European Union’s Horizon Europe Research and Innovation programme under the Grant Agreement No 101084071.