Keycloak Integration

Control Plane uses Keycloak as the identity provider for the Customer Portal (app.groundfloor.cloud) and Operator Admin (admin.groundfloor.cloud). Every /v1/* request carries a Bearer JWT verified against the platform realm.

Flow

User → Keycloak login → access_token (JWT)
     → Customer Portal or API client
     → Authorization: Bearer <token>
     → Control Plane verifies iss + signature
     → sub resolved to internal users.id
     → SpiceDB CheckPermission for the requested action

Principal model

After JWT verification, handlers receive a Principal with:

Control Plane maps sub → internal users.id on each request. Authorization always uses the internal user ID when writing SpiceDB relationships.

Environments

Tenant provisioning

In production, customers typically do not self-serve account creation. Groundfloor operators provision accounts via POST /v1/admin/accounts with an owner email unless ALLOW_CUSTOMER_ACCOUNT_CREATE=true.

On create, Control Plane:

1. Creates or attaches the Keycloak realm user
2. Upserts the Portal users row
3. Grants owner membership on the new account

One human may belong to multiple accounts (same sub, multiple memberships).

API authentication

See API Authentication for headers, error codes, and curl examples.

Related

• ReBAC model — permissions after authentication
• Core concepts — two identity planes
• Shell authentication — JWT in federated apps