> ## Documentation Index
> Fetch the complete documentation index at: https://docs.open-metadata.org/llms.txt
> Use this file to discover all available pages before exploring further.

# Auth code flow of Keyclock | Official Documentation

> Implement Keycloak’s Authorization Code Flow for backend-based secure logins using token exchange, identity claims, and session control.

# Auth Code Flow

### Step 1: Create OpenMetadata as a new Client

* Click on `Clients` in the menu.
* Click on `Create Client` button.
* Select the `Client type`.
* Enter the `Client ID`.
* Enter the Name and Description `(Optional)`.
* Click on `Next` button.

<img src="https://mintcdn.com/openmetadata/4v9U2L_k1HcJVnXe/public/images/deployment/security/keycloak/keycloak-step-3.png?fit=max&auto=format&n=4v9U2L_k1HcJVnXe&q=85&s=42fcd94e9d8f8aae122450d8b488d3b0" alt="add-client" width="2360" height="2022" data-path="public/images/deployment/security/keycloak/keycloak-step-3.png" />

### Step 2: Edit Configs of the client

* Enable `Client authentication` and `Authorization`.
* Select `Standard flow` as an `Authentication flow`.
* Click `Next`.

<img src="https://mintcdn.com/openmetadata/4v9U2L_k1HcJVnXe/public/images/deployment/security/keycloak/keycloak-step-4.png?fit=max&auto=format&n=4v9U2L_k1HcJVnXe&q=85&s=6bf3f6f87c2e8b41cef81cbd4ea52a6a" alt="compatibility configs" width="2360" height="2022" data-path="public/images/deployment/security/keycloak/keycloak-step-4.png" />

### Step 3: Add Login Settings

* fill the required options

<img src="https://mintcdn.com/openmetadata/4v9U2L_k1HcJVnXe/public/images/deployment/security/keycloak/keycloak-step-5.png?fit=max&auto=format&n=4v9U2L_k1HcJVnXe&q=85&s=49e025c77312a394182b3ac7e2d9600a" alt="edit-settings-url.png" width="2360" height="2022" data-path="public/images/deployment/security/keycloak/keycloak-step-5.png" />

* Click on `Save` button.

<Tip>
  Note: Scopes `openid`, `email` & `profile` are required to fetch the user details so you will have to add these scopes in your client.
</Tip>

### Step 3: Where to Find the Credentials

* Navigate to the `Credentials` tab.
* You will find your `Client Secret` related to the Client id "open-metadata"

<img src="https://mintcdn.com/openmetadata/4v9U2L_k1HcJVnXe/public/images/deployment/security/keycloak/keycloak-step-6.png?fit=max&auto=format&n=4v9U2L_k1HcJVnXe&q=85&s=7e8dd07cba39db373b16d9f11114ff2a" alt="client-credentials" width="2086" height="1028" data-path="public/images/deployment/security/keycloak/keycloak-step-6.png" />

After the applying these steps, the users in your realm are able to login in the openmetadata, as a suggestion create a user called "admin-user". Now you can update the configuration of your deployment:

<CardGroup cols={3}>
  <Card title="Docker Security" href="/v1.13.x/deployment/security/keycloak/docker">
    Configure Keycloak SSO for your Docker Deployment.
  </Card>

  <Card title="Bare Metal Security" href="/v1.13.x/deployment/security/keycloak/bare-metal">
    Configure Keycloak SSO for your Bare Metal Deployment.
  </Card>

  <Card title="Kubernetes Security" href="/v1.13.x/deployment/security/keycloak/kubernetes">
    Configure Keycloak SSO for your Kubernetes Deployment.
  </Card>
</CardGroup>

<CardGroup cols={1}>
  <Card title="KeyCloak" href="/v1.13.x/deployment/security/keycloak">
    Go to KeyCloak Configuration
  </Card>
</CardGroup>