This article shows how to configure OIDC SSO for the LGF Operator Console using Keycloak, and how to enable role-based access control (RBAC) via Keycloak group membership.

Overview

The Operator Console supports the roles:

  • Observer — read-only actions
  • Operator — operational actions
  • Admin — destructive/administrative actions

With OIDC enabled, users sign in through Keycloak and the Operator Console assigns a role based on the user’s groups claim.

Prerequisites

  • Keycloak admin access for the target realm
  • Network reachability from the Operator Console host to Keycloak
  • The Operator Console hostname (or IP) reachable by operators

Keycloak: Create the OIDC Client

  1. In Keycloak, go to Clients.
  2. Click Create client.
  3. Client type: OpenID Connect.
  4. Set Client ID (example: lgf-oc-001).
  5. Save.

In the client settings:

  • Set Client authentication to On (confidential client).
  • Ensure Standard flow is On.
  • Ensure Valid redirect URIs includes:
https://<operator-console-host>/oidc_callback.php
http://<operator-console-host>/oidc_callback.php

Tip: you can copy the redirect URI from the Operator Console Settings → OIDC Authentication section.

Keycloak: Copy the Client Secret

  1. Open the client you created.
  2. Go to Credentials.
  3. Copy the Client secret.

Keycloak: Create RBAC Groups

Create groups for role assignment. A common default is:

  • LGF-OC-Observers
  • LGF-OC-Operators
  • LGF-OC-Admins

Then add users to the appropriate groups.

Keycloak: Add Groups to the Access Token (Required)

This step is the most common cause of “everyone becomes Observer”. The Operator Console reads group membership from the token claim named groups by default. Keycloak must be configured to actually include that claim in the access token.

  1. Go to Client scopes (or Clients → your client → Client scopes).
  2. Add a mapper: Group Membership.
  3. Set Token Claim Name to groups.
  4. Enable Add to access token.
  5. (Recommended) Disable “Full group path” if you want plain names like LGF-OC-Admins.
  6. Save.

Operator Console: Configure OIDC

  1. Open Operator Console → Settings.
  2. Expand OIDC Authentication (SSO).
  3. Fill:
  • Issuer URL: https://<keycloak-host>/realms/<realm>
  • Client ID: your Keycloak client ID
  • Client Secret: paste the client secret
  • Groups Claim: groups (default)

Validation buttons:

  • Validate Discovery confirms the issuer’s discovery document is reachable.
  • Test Client Secret confirms the secret is correct.
  • Search Groups allows you to pick the RBAC groups without copy/pasting names.

Operator Console: Assign RBAC Groups

In OIDC Authentication, assign groups for each role:

  • Observer Group (optional)
  • Operator Group
  • Admin Group

Then click Save OIDC Settings.

Verify RBAC Is Working

  1. Log out of the Operator Console.
  2. Log back in using Sign in with SSO.
  3. Open /oidc_debug.php on the Operator Console host and confirm:
  • groups_count is greater than 0
  • groups contains your expected group
  • role matches the intended RBAC role

Troubleshooting

  • Everyone becomes Observer: Keycloak is not including groups in the access token. Ensure the Group Membership mapper exists and has Add to access token enabled.
  • JWT audience mismatch: Ensure you are using the correct issuer/realm and client.
  • Token exchange unauthorized_client: Client secret is wrong or client authentication is off.