OpenID Connect - JWT

@brocaar Do you have more information which properties the jwt has to have?
Looking at a jwt from “developer-tools”

{
  "aud": "chirpstack-application-server",
  "exp": 1601468480,
  "id": 1,
  "iss": "chirpstack-application-server",
  "nbf": 1601382080,
  "sub": "user",
  "username": "admin@example.com"
}

I would like to set-up a https://www.keycloak.org/ as a SSO Solution and would make any scripts to configure clients, client-scopes, roles and so on available to the community. (Probably end of the year)

1 Like

The OpenID Connect integration exchanges the identity of an user (it uses the validated email as identifier, which is provided by Keycloak and matches this with an user in the ChirpStack database). There is no need to create your own JWT.

ahhh. thank you. I might need to open a feature request maybe.
I would like to map the users/groups in keycloak with orgs and users in the app-server. I dont know if the jwt would need another claim for that . There might be some performance issues if the jwt gets to big, but i think for most use cases it would do. We could re-use that jwt as a user in mqtt for example and give access to topics. :slight_smile:

you need to create in Keyclock an OpenID client. and configure Chirpstack to talk to this client.