Skip to main content
Altcraft Docs LogoAltcraft Docs Logo
User guide iconUser guide
Developer guide iconDeveloper guide
Admin guide iconAdmin guide
English
  • Русский
  • English
Login
    Getting StartedAdministrator documentationFunctional characteristics
      Technology descriptionarrow
    • Architecture OverviewComponent Description
        Deployment schemesarrow
      • Basic schemeFail-safe schemeTypical Placement in Infrastructure
    System requirements
      Admin Panelarrow
      • Account areaarrow
        • Accountsarrow
        • Account UsersAccount Virtual SendersAccount Database Indexes
        TariffsExternal data configurationLDAPTasksSchedule JobsGlobal Stop ListsWebversion Store Policies
        Settingsarrow
      • Databases
          Accessarrow
        • AdminsAPI tokens
        Notifiers
          MTAarrow
        • Default rulesRetry rulesLock rulesBounce patternsStrategiesKeysISPsPools
      Nodes
        Sendersarrow
      • EmailSMSEvent generatorIntegration with SendsayENS: настройка сендера
        Reportsarrow
      • Audit JournalData Usage
        Toolsarrow
      • ARF decoderURL decoderSMID decoderLicense
      Platform installationarrow
    • Automatic installationManual installationRunning the platform in a Docker container
      Platform configurationarrow
    • Configuration fileDomain settingsLDAP access configurationSending Email via SMTP relayPixel and push domain configurationCluster and Replication SetupSystem notifications configurationProcesses UNIX sockets configurationHTTPS ConfigurationMigrating from MongoDB Community Edition to Percona Server for MongoDBAdding sender IP addressesDeduplication request settingsPostgreSQL database for account dataProxy server settingsKeycloak Integration with AltcraftGetting HTTP service statusesConfiguration MongoDB logs rotation
        Configuration of system constants and directoriesarrow
      • Filtering bot actionsDirectory of gender markers
      Platform maintenancearrow
    • Personnel requirementsPlatform maintenance processesPlatform updatingPlatform service monitoringBackup and recoveryTransferring the platform to a new serverCreating, deleting, and populating tables for statistics in ClickHouseUsage of the aktool utilityUsers and directories engaged by the platform
      Custom channels guidearrow
    • OverviewCreating and configuring a channelEntity field configurationTemplate languageEntities
        Pipesarrow
      • Pipe: Basic ConceptsResultErrorsLogPackUnpackHTTP RequestStore SetStore GetSelectorSQLEventerScheduler
        Pipelinesarrow
      • Pipeline: Basic ConceptsMessageScheduleListenerModerateStop
      Extraarrow
    • System page customizationSend Message IDИнструкция по миграции истории в ClickHouseInstructions for migrating history to ClickHouseUtility for importing push subscriptions to Firebase projectUtility for importing push subscriptions to Firebase project
    Processing HTTP/HTTPS traffic
      Administrator APIarrow
      • Accounts admin apiarrow
        • Restricted accessarrow
        • Account Activation and DeactivationAccount Freeze and Unfreeze
        Get accounts listAdd a new accountDelete the account
        Account usersarrow
      • Update an Existing AccountAdd a new accountDelete a userGet a list of usersSending a Welcome Email
        Nodesarrow
      • Synchronize node MTA configurationGet nodes listGet node MTA statusActivate node MTADeactivate node MTA
        Senders admin apiarrow
      • Create or update AKMTA senderGet AKMTA sender informationAssign account to senderGet senders listDelete senderRestore sender
          Sender queuearrow
        • Get sender queue informationHold sender queueRelease sender queueClear sender queue
        Virtual sendersarrow
      • Get virtual senders listGet virtual sender informationCreate virtual senderUpdate virtual senderClone virtual senderDelete virtual sender
    Documentation Archive
  • Platform configuration
  • Keycloak Integration with Altcraft

Keycloak Integration with Altcraft

Access to Altcraft can be provided via the Keycloak centralized authentication system. This allows using a single user and access management service to sign in to the platform, with groups and roles assigned according to the configuration in Keycloak.

Keycloak supports modern authentication and authorization protocols (OpenID Connect, OAuth 2.0, SAML) and provides centralized management of user accounts, groups, and access permissions.

Keycloak Installation​

Install Keycloak. For a quick start, you can use the official Docker image.

Option 1. Running a container

docker run -p 8080:8080 \
  -e KC_BOOTSTRAP_ADMIN_USERNAME=admin \
  -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \
  -v keycloak_data:/opt/keycloak/data \
  quay.io/keycloak/keycloak:26.0.6 start-dev

Option 2. Creating a container

docker create --name keycloak \
  -p 8080:8080 \
  -e KC_BOOTSTRAP_ADMIN_USERNAME=admin \
  -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \
  -e KC_LOG_LEVEL=DEBUG \
  -e KC_LOG_LEVEL_ORG_KEYCLOAK_PROTOCOL_OIDC=TRACE \
  -v keycloak_data:/opt/keycloak/data \
  quay.io/keycloak/keycloak:26.0.6 start-dev

The Keycloak administrative console is available at the following addresses:

http://localhost:8080 (locally)

http://10.200.0.100:8080 (via VM IP address)

Realm Configuration​

Create a new realm named oauth_app

For isolated testing, enable user registration. In Realm Settings → Login, enable the User Registration parameter to allow user self-registration.

Create a user via the realm account page: http://localhost:8080/realms/oauth_app/account

Client Configuration​

Altcraft uses two separate clients:

altcraft_admin — administrator panel

altcraft_platform — platform

Create a client with the following parameters:

  • Client ID: altcraft_admin or altcraft_platform

  • Client Protocol: openid-connect


  • Enable the Client authentication parameter:

Configure the dependent fields accordingly (for the platform client, use the platform domain).

Roles and Groups​

The following role types are available in Keycloak:

  • Realm Roles — global roles within the realm

  • Client Roles — roles associated with a specific client (not used in the current integration)

  • Composite Roles — roles that include other roles (not used in the current integration)

  • Default Roles — roles automatically assigned to new users

Assign roles to a user:

Option 1. Using Realm Roles

  1. Create a role in the Realm Roles section.

  2. Open the user.

  3. In the Role mapping section, select Realm roles in the Filter by clients parameter and assign the required role to the user.

Option 2. Using Groups

  1. Create a group.

  2. Assign a Realm Role to the group.

  3. Add the user to the group.

Client Scopes​

Altcraft requires the groups parameter to be present in the token. This parameter is used to determine whether a user has access to the platform or the administrator panel.


To add this parameter to the token, it is recommended to use the predefined dedicated client scope (<client-name>-dedicated) by adding a mapper that passes the user’s groups.


User Attributes​

An attribute is created (or imported) at the realm level: Realm Settings → User profile → Attributes

  • Attribute (Name) — the technical name of the attribute. Used in code, tokens, and APIs. Must be unique within the realm;

  • Display name — the human-readable name of the attribute (optional);

  • Multivalued — enables support for multiple values;

  • Attribute group — the group used to display the attribute in the UI (for example, Contact, Personal Info);

  • Who can edit / Who can view — defines which user categories are allowed to view and modify the attribute value;

  • Validations — a set of rules for validating the attribute value when saving data;

  • Annotations — arbitrary metadata.

After creating a user attribute, it must be added to a client scope so that its value is included in the token. To do this, in the Client Scopes section, select an existing scope used by the client and enable the Include in token scope parameter.

To pass the attribute value into the token, add a mapper with the following parameters:

  • Mapper type: User Attribute — maps a custom user attribute into tokens;

  • Name — a unique mapper name in the configuration;

  • User Attribute — the attribute key from the user profile (for example, "phone", "department");

  • Token Claim Name — the name of the claim in the JWT token where the attribute value will be placed;

  • Claim JSON Type — the data type of the value in the token (String, int, boolean, JSON);

  • Add to ID token: On — include the attribute in the ID token (for client applications);

  • Add to access token: On — include the attribute in the access token (for backend APIs);

  • Add to userinfo: On — include the attribute in the /userinfo endpoint response;

  • Add to token introspection: On — include the attribute in the token introspection response;

  • Multivalued: Off — the attribute contains a single value, not an array;

  • Aggregate attribute values: Off — do not aggregate values from multiple sources.

Configuring Keycloak Access in the Administrator Panel​

Configuring access via Keycloak in Altcraft is performed similarly to configuring access via LDAP and is done from the administrator panel.

To configure access, log in to the Altcraft Administrator Panel and navigate to Account Area → Auth Connectors. In this section, create a new authentication connector with the Keycloak type.

When creating the connector, specify the following parameters: connector name, Keycloak host and port, realm name, client identifier (Client ID), and Client Secret. These values must match the settings of the client previously created in Keycloak.

After saving the connector, it becomes available for selection in the account settings and can be used for user authentication via Keycloak.

User Authorization Flow via Keycloak​

User authorization via Keycloak in Altcraft is implemented using the standard OIDC redirect flow.

When signing in, the user enters their login in the Altcraft authentication form. At this stage, the platform determines which authentication type is associated with the user’s account (local, LDAP, or Keycloak). If a Keycloak connector is configured and active for the account, the user is automatically redirected to the Keycloak login page.

On the Keycloak side, the user enters their credentials and completes authentication. After successful verification, Keycloak redirects the user back to Altcraft with authentication tokens.

Altcraft validates the received token, extracts the user’s groups and attributes, and determines access rights to the platform or the administrator panel based on this data. If validation is successful, the user is granted access to the system with the appropriate roles and groups.

Last updated on Mar 25, 2026
Previous
Proxy server settings
Next
Getting HTTP service statuses
  • Keycloak Installation
    • Realm Configuration
    • Client Configuration
    • Roles and Groups
    • Client Scopes
    • User Attributes
  • Configuring Keycloak Access in the Administrator Panel
  • User Authorization Flow via Keycloak
© 2015 - 2026 Altcraft, LLC. All rights reserved.