OBP Keycloak Provider

Keycloak User Storage SPI that authenticates users via the OBP REST API instead of direct database access. No JDBC drivers, no SQL views — authentication delegates entirely to OBP endpoints.

How it works

On first request the provider obtains an admin Direct Login token via POST /obp/v6.0.0/my/logins/direct
User lookup: GET /obp/v6.0.0/users/provider/{PROVIDER}/username/{USERNAME}
Credential verification: POST /obp/v6.0.0/users/verify-credentials (username + password + provider)
Only users whose OBP provider field matches OBP_AUTHUSER_PROVIDER are accepted

Required roles on the OBP admin account: CanGetAnyUser, CanVerifyUserCredentials, CanGetOidcClient

Requirements

Git 2.2.1 or later
Docker Engine or Docker Desktop 1.9 or later
Maven 3.8.5 or later
Java 17 or later

Quick Start

Copy and configure environment variables:
```
cp env.sample .env
nano .env
```

Deploy locally:

./development/run-local-postgres-cicd.sh
# or with OBP themes:
./development/run-local-postgres-cicd.sh --themed

Key Environment Variables

Variable	Description
OBP API
`OBP_API_URL`	Base URL of the OBP API instance (e.g. `http://localhost:8080`)
`OBP_API_USERNAME`	OBP admin username (must hold required roles)
`OBP_API_PASSWORD`	OBP admin password
`OBP_API_CONSUMER_KEY`	Consumer key registered in OBP for Direct Login
`OBP_AUTHUSER_PROVIDER`	Mandatory — only users with this provider value are authenticated
Keycloak Admin
`KEYCLOAK_ADMIN`	Keycloak admin username (default: `admin`)
`KEYCLOAK_ADMIN_PASSWORD`	Keycloak admin password (default: `admin`)
Keycloak Database
`KC_DB_URL`	Keycloak's internal PostgreSQL JDBC URL
`KC_DB_USERNAME`	Keycloak database user (default: `keycloak`)
`KC_DB_PASSWORD`	Keycloak database password
Ports
`KEYCLOAK_HTTP_PORT`	HTTP port (default: `7787`)
`KEYCLOAK_HTTPS_PORT`	HTTPS port (default: `8443`)
`KEYCLOAK_MGMT_PORT`	Management/health port (default: `9000`)

See env.sample for the full reference.

Provider Features

✅ User lookup and authentication via OBP REST API
✅ Password verification delegated to OBP (verify-credentials)
✅ Provider-based user filtering (OBP_AUTHUSER_PROVIDER)
✅ Admin token caching with automatic refresh on expiry
🔴 User creation / update / deletion — read-only by design (manage users in OBP)

Login to Keycloak

After deploying, open https://localhost:8443.

Default admin credentials:

user: admin
pass: admin

Click the User federation tab — obp-keycloak-provider will be listed.

Documentation

env.sample — full environment variable reference
docs/CICD_DEPLOYMENT.md — CI/CD deployment guide
development/README.md — development scripts documentation

Name		Name	Last commit message	Last commit date
Latest commit History 149 Commits
.github		.github
META-INF		META-INF
database		database
development		development
docs		docs
src/main		src/main
themes		themes
.dockerignore		.dockerignore
.env.docker.example		.env.docker.example
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
env.sample		env.sample
pom.xml		pom.xml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

OBP Keycloak Provider

How it works

Requirements

Quick Start

Key Environment Variables

Provider Features

Login to Keycloak

Documentation

About

Uh oh!

Releases

Packages

Uh oh!

Contributors

Uh oh!

Languages

License

OpenBankProject/OBP-Keycloak-Provider

Folders and files

Latest commit

History

Repository files navigation

OBP Keycloak Provider

How it works

Requirements

Quick Start

Key Environment Variables

Provider Features

Login to Keycloak

Documentation

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages