# Keycloak ## Overview Keycloak serves as the administrative access control module in MOSIP, managing authentication and authorization across its microservices. Since MOSIP is built on a microservice architecture, it heavily relies on OAuth 2.0 tokens for access control. These tokens contain embedded role definitions that determine who can access specific microservice APIs ensuring secure and granular access control. ### Keycloak's Role in MOSIP * **Microservice Security** – Each MOSIP microservice validates incoming API requests using OAuth 2.0 tokens issued by Keycloak. If the token lacks the necessary role, access is denied. This mechanism applies universally, even between internal MOSIP modules, ensuring a zero-trust architecture. * **Data Access Control** – Most sensitive data in MOSIP is encrypted in the database, making APIs the only entry point for accessing information. Keycloak enforces strict authentication and authorization policies, preventing internal attacks and API misuse. * **Administrative Oversight** – Administrators can monitor and control access permissions centrally via Keycloak, providing visibility into who can access what within the system. * **User Repository Management** – Keycloak also functions as the internal identity store for critical MOSIP roles, including: * **Operators** – Handle citizen registration and data collection. * **Supervisors** – Oversee registration processes and ensure compliance. * **Adjudicators** – Review and resolve identity conflicts or duplicate registrations. By enforcing strict access controls and acting as both an identity provider and an authorization enforcer Keycloak helps MOSIP maintain high security, scalability, and compliance while protecting against unauthorized access. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.mosip.io/1.2.0/id-lifecycle-management/supporting-components/keycloak.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.