Identity

Keycloak

We use Keycloak as the central identity provider (IdP) for authentication and authorization. It enables Single Sign-On (SSO) and secure access to our applications.

Key concepts

OIDC (OpenID Connect) – Keycloak acts as the OIDC provider for all frontend and backend services.
Single Sign-On – Users log in once and gain access to all connected applications.
Access & Refresh Tokens – Access tokens are used to authenticate API requests, while refresh tokens allow session renewal.

Frontend integration

In our SPA (React), we use:

keycloak-js for native browser communication.
@react-keycloak/web for React-specific context and hooks.

This allows us to:

Protect routes and redirect unauthenticated users.
Attach tokens to HTTP requests via custom axios instances.
Automatically refresh tokens before expiration.

Token handling

Authentication tokens are injected into every request using a custom Axios instance (useSecureAxios).
We also implement the following interceptors:

Token expiration interceptor – Automatically refreshes the token if it's close to expiring.
Language interceptor – Adds language headers based on user preferences.
Status code interceptor – Handles HTTP errors (e.g. triggers logout on 401).

Logout

Logging out from one application will propagate across all clients using the same Keycloak realm (SSO logout).

More advanced access control (roles, groups, scopes) is managed directly in the Keycloak admin panel.

Changelog

Learn how changelogs are generated and published automatically as part of the deployment pipeline.

Networking

Understand our approach to API management, REST integration, and automated client generation for seamless frontend-backend communication.