Complete Keycloak Configuration Guide for Canton Validator
Warning
This section features solutions shared by community members. While they haven’t been formally tested by the Splice maintainers, users are encouraged to verify the information independently. Contributions to enhance accuracy and completeness are always welcome.
To deploy a validator node with Keycloak authentication, follow these detailed configuration steps. This guide provides comprehensive instructions for setting up Keycloak as your validator’s OIDC provider, including all required customizations for your Canton network deployment.
For additional authentication providers and configuration details, see Configuring Authentication.
Prerequisites
Before proceeding with the configuration, ensure you have:
A running Keycloak instance with administrative access
Admin Console access to your Keycloak deployment
The following hostnames configured:
Validator API base URL:
https://validator-api.your-domain.example/apiWallet UI:
https://wallet.your-domain.exampleCNS UI:
https://cns.your-domain.example
Your assigned
PARTY_HINTidentifier from the Canton network
Realm Configuration
Create the realm for your Canton validator.
Navigate to Admin Console → Manage realms → Create realm.
Set Realm name to
canton(or your environment-specific name).Click Create to initialize the realm.
Configure session settings for offline access and refresh tokens.
Navigate to Realm Settings → Sessions.
Configure the following settings:
Set Offline Session Max Limited to
ONSet Offline Session Max to
5,184,000seconds (60 days; adjust as desired)Set Offline Session Idle Timeout to
2,592,000seconds (30 days; adjust as desired)
Click Save to apply the changes.
Client Scopes Setup
Create the
daml_ledger_apiclient scope.Navigate to Client Scopes → Create.
Configure the basic settings:
Name:
daml_ledger_apiProtocol:
OpenID ConnectType:
DefaultDisplay on consent screen:
OFFInclude in token scope:
OFF
Click Save.
Add the required mappers to
daml_ledger_api:User Client Role mapper:
Navigate to daml_ledger_api → Mappers → Create
Set Mapper Type to
User Client RoleSet Name to
daml_ledger_api_scopeSet Add to access token to
ONSet Add to ID token, Add to userinfo, Add to token introspection, and Multivalued to
OFFClick Save
Audience mapper:
Navigate to daml_ledger_api → Mappers → Create
Set Mapper Type to
AudienceSet Name to
audienceSet Included Custom Audience to
https://canton.network.globalSet Add to access token and Add to token introspection to
ONSet Add to ID token and Add to lightweight access token to
OFFClick Save
Create the
openidclient scope.Navigate to Client Scopes → Create.
Configure the settings:
Name:
openidProtocol:
OpenID ConnectType:
DefaultDisplay on consent screen:
OFFInclude in token scope:
ON
Click Save.
Add the required mappers to
openid:Validator API Audience mapper:
Navigate to openid → Mappers → Create
Set Mapper Type to
AudienceSet Name to
audSet Included Custom Audience to
https://validator-api.your-domain.example/apiSet Add to access token and Add to token introspection to
ONSet Add to ID token and Add to lightweight access token to
OFFClick Save
Subject mapper:
Navigate to openid → Mappers → Create
Set Mapper Type to
Subject (sub)Set Name to
subSet Add to access token and Add to token introspection to
ONSet Add to lightweight access token to
OFFClick Save
Client Configuration
Create the ledger API resource client.
Navigate to Clients → Create client.
Set Client Type to
OpenID Connectand Client ID toledger-api.Click Next.
In Capability config, set all toggles to
OFF.Click Next.
Leave all Login settings fields empty and click Save.
Add the client scope: Navigate to Client scopes → Add client scope → Select
daml_ledger_api→ Add as “Default”.
Create the validator app backend service account client.
Navigate to Clients → Create client.
Set Client Type to
OpenID Connectand Client ID tovalidator-app-backend.Click Next.
In Capability config:
Set Client authentication to
ONSet Service accounts to
ONSet all other options to
OFF
Click Next.
Leave Login settings fields empty and click Save.
Record the credentials:
From the Credentials tab, copy the Client Secret
From the Service account roles tab, click the service account user link
Copy the user ID (UUID) from the browser URL (use as
LEDGER_API_ADMIN_USER)
Add the client scope: Navigate to Client scopes → Add client scope → Select
daml_ledger_api→ Add as “Default”.
Create the wallet web UI public client.
Navigate to Clients → Create client.
Set Client Type to
OpenID Connectand Client ID towallet-web-ui.Click Next.
In Capability config:
Set Standard flow to
ONSet all other options to
OFF
Click Next.
Configure Login settings:
Valid redirect URIs:
https://wallet.your-domain.example/*Valid post logout redirect URIs:
https://wallet.your-domain.exampleWeb origins:
https://wallet.your-domain.example
Click Save.
Configure client scopes:
Add
openidanddaml_ledger_apias “Default”Add
offline_accessas “Optional” (if needed)
Create the CNS UI public client.
Follow the same process as the wallet web UI with these modifications:
Set Client ID to
cns-uiSet Valid redirect URIs to
https://cns.your-domain.example/*Set Valid post logout redirect URIs to
https://cns.your-domain.exampleSet Web origins to
https://cns.your-domain.exampleConfigure the same client scopes as wallet-web-ui
User Management
Create the operator wallet user.
Navigate to Users → Add user.
Configure the user:
Set Username to your exact
PARTY_HINTvalueSet User Enabled to
ON
Click Save.
Set a permanent password: Navigate to Credentials tab → Set password with Temporary set to
OFF.Copy the user ID (UUID) from the browser URL (use as
WALLET_ADMIN_USER).
Important
The username must exactly match your assigned PARTY_HINT identifier from the Canton network.
Application Configuration
Configure your validator application using the following Keycloak-related environment variables:
# Keycloak Realm Endpoints
AUTH_URL=https://your-keycloak-host/realms/canton
AUTH_WELLKNOWN_URL=https://your-keycloak-host/realms/canton/.well-known/openid-configuration
AUTH_JWKS_URL=https://your-keycloak-host/realms/canton/protocol/openid-connect/certs
# Backend Client Credentials
VALIDATOR_AUTH_CLIENT_ID=validator-app-backend
VALIDATOR_AUTH_CLIENT_SECRET=REPLACE_WITH_CLIENT_SECRET
# User Identity UUIDs (from Keycloak Users URLs)
LEDGER_API_ADMIN_USER=REPLACE_WITH_SERVICE_ACCOUNT_USER_UUID
WALLET_ADMIN_USER=REPLACE_WITH_OPERATOR_USER_UUID
# OAuth Scopes and Audiences
LEDGER_API_AUTH_SCOPE=daml_ledger_api
LEDGER_API_AUTH_AUDIENCE=https://canton.network.global
VALIDATOR_AUTH_AUDIENCE=https://validator-api.your-domain.example/api
# UI Client IDs
WALLET_UI_CLIENT_ID=wallet-web-ui
ANS_UI_CLIENT_ID=cns-ui
Validation and Testing
Verify your configuration by testing the backend client credentials flow:
curl -X POST "https://your-keycloak-host/realms/canton/protocol/openid-connect/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=client_credentials" \ -d "client_id=validator-app-backend" \ -d "client_secret=YOUR_CLIENT_SECRET"
Decode the returned
access_tokenand verify it contains:aud:["https://canton.network.global"]scope:"daml_ledger_api"
Configuration Notes
Note
User Identifiers: Both
LEDGER_API_ADMIN_USERandWALLET_ADMIN_USERmust be UUIDs from Keycloak URLs, not usernamesMapper Configuration: The
daml_ledger_apiscope uses both User Client Role and Audience mappers for comprehensive authorizationToken Audiences: UI tokens contain both standard OpenID Connect claims and your validator API audience
Username Matching: The wallet admin user’s username must exactly match your
PARTY_HINTvalue
Troubleshooting
If you encounter authentication issues:
Verify that all audience mappings are correctly configured
Ensure client scopes are properly assigned as “Default” types
Confirm that user UUIDs are copied from Keycloak URLs rather than using usernames
Check that session timeout values are appropriate for your use case
Comments