# Keycloak

Here follows some MedCo-specific instructions for the administration of Keycloak. For anything else, please refer to the [Keycloak Server Administration Guide](https://www.keycloak.org/docs/latest/server_admin/index.html). Those instructions do not necessarily need to be all followed for all deployments, refer to the deployment guide to know which ones are important.

{% hint style="danger" %}
For a production deployment, it is crucial to change the default keys and credentials.
{% endhint %}

## Accessing the web administration interface

You can access the Keycloak administration interface at `http(s)://<node domain name>/auth/admin`. For example if MedCo is deployed on your local host, you can access it at `http://localhost/auth/admin`. Use the admin default credentials if you had just deployed MedCo.

## User Management

### Default users

The default configuration shipped with the MedCo deployments come with several users.

#### Admin user

The default admin credentials has all the admin access to Keycloak, but no access rights to MedCo. Its credentials are :

* User `keycloak`
* Password `keycloak` (unless configured otherwise through the `.env` file)

#### Test users

They all have the password `test` and have different authorizations that are obvious from their names.

* User `test`: this user has all the authorizations to run all types of MedCo explore queries. it will default to the highest authorization being `patient_list`.
* User `test_explore_count_global`
* User `test_explore_count_global_obfuscated`
* User `test_explore_count_per_site`
* User `test_explore_count_per_site_obfuscated`
* User `test_explore_count_per_site_shuffled`
* User `test_explore_count_per_site_shuffled_obfuscated`
* User `test_explore_patient_list`

### **Add a user**

* Go to the configuration panel *Users*, click on *Add user*.
* Fill the *Username* field, toggle to `ON` the *Email Verified* button and click *Save*.
* In the next window, click on *Credentials*, enter twice the user’s password, toggle to `OFF` the *Temporary* button if desired and click *Reset Password*.

### **Give query permissions to a user**

* Go to the configuration panel *Users*, search for the user you want to give authorization to and click on *Edit*.
* Go to the *Role Mappings* tab, and select *medco* (or another client ID set up for the MedCo OIDC client) in the *Client Roles*.
* Add the roles you wish to give the user, each of the roles maps to a query type.

## MedCo Default Settings

### *medco* OpenID Connect client

The default Keycloak configuration provides an example of a fully working configuration for deployments on your local host. In other cases, you will need to modify this configuration.

Access the configuration panel of the MedCo client by going to the *Clients* tab, and click on the *medco* client. Then, in the *Settings* tab, fill *Valid Redirect URIs* to reflect the following table (you can delete the existing entries):

| Deployment Profile            | Valid Redirect URIs              |
| ----------------------------- | -------------------------------- |
| *test-local-3nodes*           | `http(s)://<node domain name>/*` |
| *test-network + prod-network* | `https://<node domain name>/*`   |
| *dev-local-3nodes*            | `http://localhost:4200/*`        |

In the same tab, fill *Web Origins* with `+` and save.

## Securing a production deployment

### Changing default passwords

Both `keycloak` and `test` users comes with default passwords. For a production deployment they need to be changed:

* Go to the configuration panel *Users*, click on *View all users*.
* For each of the users you want to change the password of:
  * Click on *Edit*, then go the *Credentials* tab.
  * Enter the new password of the user
  * Optionally toggle to `OFF` the *Temporary* button; if `ON` the user at the next login will need to update his password.
  * Click on *Reset Password*.

### Changing default realm keys

The example configuration comes with default keys. They have to be changed for a network deployment where there are several Keycloak instances.

* Go to the configuration panel *Realm Settings*, then to the *Keys* tab and *Providers* subtab.
* Click on *Add keystore...* and add the three following providers:
  * *aes-generated*
    * *Console Display Name*: `aes-medco`
    * *Priority*: `100`
  * *hmac-generated*
    * *Console Display Name*: `hmac-medco`
    * *Priority*: `100`
* * *rsa-generated*
    * *Console Display Name*: `rsa-medco`
    * *Priority*: `100`
* Finally, delete **all the other key providers** listed that you did not just add. They should be named *xxx-generated*. Note that it is normal if you get logged out during the operation, just log back in and continue the process.

### Enabling brute force detection

* Go to the configuration panel *Realm Settings*, then to the *Security Defenses* tab and *Brute Force Detection* subtab.
* Toggle to `ON` the *Enabled* button.
* Fill the following:
  * *Max Login Failures*: `3`
  * *Wait Increment*: `30 Seconds`
  * *Save* the configuration.

##