Keycloak Configuration
The Keycloak-related configuration required for the IVR is mostly bootstrapped automatically and doesn't require any manual operations. But this document explains how the system works, and what is the required setup if anything goes wrong and manual intervention is required.
Setup
For IVR to function, two dedicated clients are required on Keycloak: ivr-service and ivr-voting.
The former is used by the IVR handler to perform voter-independent tasks, such as reading the IVR auth
configuration or checking the blacklist.
The latter is used as a proxy client to authenticate as the voter through IVR-sourced credentials, such as voter id and
pin.
Both clients should be created in IVR-enabled election event realms and configured as described below.
Service Client (ivr-service)
Service client is a service account for IVR internal use. It doesn't have a special client ID, but it is named
ivr-service by default.
Its client ID and secret are configured on the IVR handler during deployment. If either changes, another deployment is required. Because a single deployment can serve multiple election events, all realms should have the same client id and secret.
Required Configuration:
- Auth config:
ivr-config-readrealm role must be assigned for reading the IVR auth steps configuration. - Blacklisting: The
ivr-serviceservice account user must havetenant-idattribute set, andphone-blacklist-readrealm role assigned. - Auth method:
Service account rolesauth flow should be enabled,Client IDandClient Secretcredentials should be acquired for deployment.
Voting Client (ivr-voting)
Voting client is a dedicated, well-known client with ID ivr-voting for authenticating as the voter. The specific
client ID is used by auth mechanisms and for optional auth flow override.
- Auth method:
Direct access grantsauth flow should be enabled,Client IDandClient Secretcredentials should be acquired for deployment.