Authentication service | On-Premise | Urbi Documentation

Authentication Service

The service is a system implementation of Keycloak. Despite the fact that Keycloak supports both authentication and authorization, the current state of the system supports authentication only. Authorization is the granting of rights to use a product or another service. The described service does not grant this right. Via the administrative interface, it provides the ability to:

  • log into Keycloak with one's own data;
  • register a user;
  • change user data;
  • delete a user.


For more details about available actions in the administrative interface, see the instruction: Managing user accounts using Keycloak

Thus, the authentication service serves solely as a identity provider, i.e. the provider of user data. The granting of rights to use a product or a service takes place on the product or the service side.

Auth service architecture

Here is an exapmle of the authorization via Keycloak workflow, provided for Urbi On-Premise Pro:

  1. The user logs into Urbi On-Premise Pro.
  2. Urbi On-Premise Pro starts checking the user's Cookies.
  3. If the data in the Cookies allows the user to be identified, they gain access to Urbi On-Premise Pro.
  4. If the necessary authentication data is missing from the Cookies, Urbi On-Premise Pro sends a request to the authentication service.
  5. The authentication service performs authentication using OpenID Connect.
  6. Upon successful authentication, the user gains access to Urbi On-Premise Pro.

Important Note:

Authentication via Keycloak is used only by 2GIS On-Premise Pro. In Urbi Pro, a different method is used.

What's next?