Configuration of the Olvid Plugin

The last step is to configure the Olvid Plugin and generate the link Olvid users will use to bind their identity to the Keycloak server. Start by opening the Olvid Management Console by clicking the “Management Console” link from within the Keycloak console.

Here we describe the minimal steps to allow Olvid users to connect, more details about the various functionalities of the Olvid Management Console can be found in the pages under “Using the Management Console” in the left menu.

1. Realms configuration

Start by opening the “Realms Configuration” from the left menu

This page lets you configure which realm is used for the console administration and which realms are used by Olvid users:

  • check the “Admin” checkbox in the olvid_admin realm
  • check the “Olvid users” checkbox in the olvid realm
    • for user realms, you must also select the Client to use for authentication: select olvid_cl from the dropdown menu
    • choose the elliptic curve Key you generated previously so that it will be used to sign Olvid user certificates

  • enter for the “Olvid Message Distribution Server”
  • if the public DNS for your Keycloak server is different from the DNS you connect too for administration, enter the public DNS in “Public Keycloak URL”
  • enter the API key that was provided by the Olvid team in “Keycloak API Key”

Be sure to only use such an API key on a single server. If you need to deploy mutliple Keycloak servers with different Olvid user realms, please request multiple API keys from the Olvid team, otherwise you will run into issues 😅

  • check the “Revocation Allowed” checkbox if you want to allow users to replace their own Olvid identity on Keycloak after they have set it. This is not usually necessary in production, but can help during tests. If the checkbox is not checked, an administrator will need to manually revoke the user’s previous identity before they can change their identity
  • do not forget to click “Save” and confirm your changes

As soon as some users have bound their Olvid identity to this Keycloak server, changing any of these parameters may require them to completely rebind their identity. You should normally not play with these settings too often!

2. Prometheus metrics

The Olvid Plugin has the capability to export usage metrics in the Prometheus format. If this is of interest to you, activate the switch at the top of the page, click “Save”. The link at the top points to the metrics export URL, which does not require authentication. It is recommended to block public access to this URL at your reverse proxy.

Currently the exported metrics are very basic. If a specific metrics would be of interest to you, please let the Olvid team know: it will be added in a future release!

3. Test your configuration

Once the configuration is saved, the left menu is updated like this:

  • The admin realm (here olvid_admin) allows to create admin users and assign them roles
  • The user realms (like olvid) have more options:
    • the realm name leads to a dashboard managing users, signing them out or revoking their identity
    • the “Revocation Log” show a log of all the revocations that took place on the server
    • the “Olvid Groups” page (coming soon) allows defining discussion groups that are directly managed from Keycloak
    • the “Security Settings” page (coming soon) allows forcing certain security settings on Olvid users

For now, click on “olvid” to access the dashboard, this is where you will find the link you should distribute to Olvid users

Click the blue “link” icon to open the configuration page. The url should be something like this: [….] UwZjUyNiIsImNpZCI6Im9sdmlkX2NsIn19

That’s it, the Olvid Plugin is configured and the user you created should now be able to authenticate after opening this link inside Olvid or scanning the QR code shown on the page.