Authorization Keycloak


I’m logging into Squidex with Keycloack and work fine, but now I need to give to the user admin privileges. How can I do that in Keycloack? With roles, with authorization …?


You have to add permissions as urn:squidex:permissions client.

Here is a list of all permissions:

Hi Sebastian!
First of all thanks for your answer, but can you be more specific.

Can you give me more info?

I have this configuration:

Do you refer on resources tab?

No, you have to go to your user and then to claims.

Can you show me an example please.
I tried this configuration:


You always have to login and logout again and you have to tell keycloak to return this claim (or claim type) for your client.

We can have a skype session today 8pm (german time) or Monday.

I did login and logout, I restarted the squidex and keycloak, and I had the same result.

I am not an expert. But I think you have to create:

  • A scope permission
  • A mapping for this scope to return the urn:squidex:permissions claims.
  • Request the permission scope when you create a token manually.

After do the configurations I havethis token from Keycloak:

“scope”:“openid permission profile email”,

After login on Squidex I have this token:

“nbf”: 1567163445,
“exp”: 1567167045,
“iss”: “http://data.ubi.local/identity-server”,
“aud”: [
“client_id”: “squidex-frontend”,
“sub”: “5d668fe3109bff00012f6341”,
“auth_time”: 1567163445,
“idp”: “ExternalOidc”,
“email”: “EMAIL”,
“scope”: [
“amr”: [

Weird thing don’t you think?

Sorry, I think I made a big mistake.

Keycloak is just like another third party authentication provide like Google or Github. So there are actual 2 identity servers. Keycloak and the integrated identity server.

The permissions itself are usually handled in Squidex. (can you check the database?) The first admin should get the admin permissions. I am not sure if you can give the permissions in keycloak. If it is needed I can have a look but I am not sure when I have time for that.

I gave permission directly to user on Squidex, and work fine.

I did another test: I created a new user with the permission on Keycloak and then when I did the first login the info passed to Squidex.

But what I want is: be able to manage permissions on Keycloak and sync with Squidex.

As far I can realise with our conversation, actually it’s not possible, but its something that you think is feasible to add on roadmap?

it is feasible and probably a 30min task. I will have a look.

EDIT: I am probably wrong. The problem is that the user is generated in Squidex the first time you login with keycloak. I could transfer the claims then, but the next time the user logs in there would be no claims transfer.

This is probably a silly question, but is there any reason not to update the claims on every login?

It is just not implemented like that yet. The idea was / is to keep Authentication in Squidex itself.