docs: added keycloak-oidc documentation

docs/documentation/platform/organization.mdx

@@ -21,34 +21,34 @@ The **Settings** page lets you manage information about your organization includ
 
 ![organization settings general](../../images/platform/organization/organization-settings-general.png)
 
-
-- Security and Authentication: A set of setting to enforce or manage [SAML](/documentation/platform/sso/overview), [SCIM](/documentation/platform/scim/overview), [LDAP](/documentation/platform/ldap/overview), and other authentication configurations.
+- Security and Authentication: A set of setting to enforce or manage [SAML](/documentation/platform/sso/overview), [OIDC](/documentation/platform/sso/overview), [SCIM](/documentation/platform/scim/overview), [LDAP](/documentation/platform/ldap/overview), and other authentication configurations.
 
 ![organization settings auth](../../images/platform/organization/organization-settings-auth.png)
 
 ## Access Control
 
-The **Access Control** page is where you can manage identities (both people and machines) that are part of your organization. 
+The **Access Control** page is where you can manage identities (both people and machines) that are part of your organization.
 You can add or remove additional members as well as modify their permissions.
 
 ![organization members](../../images/platform/organization/organization-members.png)
 ![organization identities](../../images/platform/organization/organization-machine-identities.png)
 
-In the **Organization Roles** tab, you can edit current or create new custom roles for members within the organization. 
+In the **Organization Roles** tab, you can edit current or create new custom roles for members within the organization.
 
 <Info>
   Note that Role-Based Access Management (RBAC) is partly a paid feature.
 
   Infisical provides immutable roles like `admin`, `member`, etc.
   at the organization and project level for free.
 
-  If you're using Infisical Cloud, the ability to create custom roles is available under the **Pro Tier**. 
-  If you're self-hosting Infisical, then you should contact [email protected] to purchase an enterprise license to use it.
+If you're using Infisical Cloud, the ability to create custom roles is available under the **Pro Tier**.
+If you're self-hosting Infisical, then you should contact [email protected] to purchase an enterprise license to use it.
+
 </Info>
 
 ![organization roles](../../images/platform/organization/organization-members-roles.png)
 
-As you can see next, Infisical supports granular permissions that you can tailor to each role. 
+As you can see next, Infisical supports granular permissions that you can tailor to each role.
 If you need certain members to only be able to access billing details, for example, then you can
 assign them that permission only.
 
@@ -66,4 +66,4 @@ This includes the following items:
 - Receipts: The receipts of monthly/annual invoices.
 - Billing: The billing details of your organization including payment methods on file, tax IDs (if applicable), etc.
 
-![organization usage and billing](../../images/platform/organization/organization-usage-billing.png)
+![organization usage and billing](../../images/platform/organization/organization-usage-billing.png)

docs/documentation/platform/sso/keycloak-oidc.mdx

@@ -0,0 +1,92 @@
+---
+title: "Keycloak OIDC"
+description: "Learn how to configure Keycloak OIDC for Infisical SSO."
+---
+
+<Info>
+  Keycloak OIDC SSO is a paid feature. If you're using Infisical Cloud, then it
+  is available under the **Pro Tier**. If you're self-hosting Infisical, then
+  you should contact [email protected] to purchase an enterprise license to
+  use it.
+</Info>
+
+<Steps>
+   <Step title="Create an OIDC client application in Keycloak">
+      1.1. In your realm, navigate to the **Clients** tab and click **Create client** to create a new client application.
+
+      ![OIDC keycloak list of clients](../../../images/sso/keycloak-oidc/clients-list.png)
+
+      <Info>
+         You don’t typically need to make a realm dedicated to Infisical. We recommend adding Infisical as a client to your primary realm.
+      </Info>
+
+      1.2. In the General Settings step, set **Client type** to **OpenID Connect**, the **Client ID** field to an appropriate identifier, and the **Name** field to a friendly name like **Infisical**.
+
+      ![OIDC keycloak create client general settings](../../../images/sso/keycloak-oidc/create-client-general-settings.png)
+
+      1.3. Next, in the Capability Config step, ensure that **Client Authentication** is set to On and that **Standard flow** is enabled in the Authentication flow section.
+
+      ![OIDC keycloak create client capability config settings](../../../images/sso/keycloak-oidc/create-client-capability.png)
+
+      1.4. In the Login Settings step, set the appropriate values for the following:
+      - Root URL (base URL of Infisical)
+      - Home URL (base URL of Infisical)
+      - Valid Redirect URIs (`${INFISICAL_BASE_URL}/api/v1/sso/oidc/callback`)
+      - Web origins (base URL of Infisical)
+
+      ![OIDC keycloak create client login settings](../../../images/sso/keycloak-oidc/create-client-login-settings.png)
+      <Info>
+         If you’re self-hosting Infisical, then you will want to replace https://app.infisical.com (base URL) with your own domain.
+      </Info>
+
+      1.5. Next, navigate to the **Client scopes** tab and select the client's dedicated scope.
+
+      ![OIDC keycloak client scopes list](../../../images/sso/keycloak-oidc/client-scope-list.png)
+
+      1.6. Next, click **Add predefined mapper**.
+
+      ![OIDC keycloak client mappers empty](../../../images/sso/keycloak-oidc/client-scope-mapper-menu.png)
+
+      1.7. Select the **email**, **given name**, **family name** attributes and click **Add**.
+
+      ![OIDC keycloak client mappers predefined 1](../../../images/sso/keycloak-oidc/scope-predefined-mapper-1.png)
+      ![OIDC keycloak client mappers predefined 2](../../../images/sso/keycloak-oidc/scope-predefined-mapper-2.png)
+
+      Once you've completed the above steps, the list of mappers should look like the following:
+      ![OIDC keycloak client mappers completed](../../../images/sso/keycloak-oidc/client-scope-complete-overview.png)
+
+   </Step>
+   <Step title="Retrieve Identity Provider (IdP) Information from Keycloak">
+      2.1. Back in Keycloak, navigate to Configure > Realm settings > General tab > Endpoints > OpenID Endpoint Configuration and copy the opened URL. This is what is to referred to as the Discovery Document URL and it takes the form: `https://keycloak-mysite.com/realms/myrealm/.well-known/openid-configuration`.
+      ![OIDC keycloak realm OIDC metadata](../../../images/sso/keycloak-oidc/realm-setting-oidc-config.png)
+
+      2.2. From the Clients page, navigate to the Credential tab and copy the value of Client secret for use in the preceding steps.
+      ![OIDC keycloak realm OIDC secret](../../../images/sso/keycloak-oidc/client-secret.png)
+
+   </Step>
+   <Step title="Finish configuring OIDC in Infisical">
+      3.1. Back in Infisical, in the Organization settings > Security > OIDC, click Manage
+      ![OIDC keycloak manage org Infisical](../../../images/sso/keycloak-oidc/manage-org-oidc.png)
+
+      3.2. For configuration type, select Discovery URL. Then, set the appropriate values for **Discovery Document URL**, **Client ID**, and **Client Secret**.
+      ![OIDC keycloak paste values into Infisical](../../../images/sso/keycloak-oidc/create-oidc.png)
+
+      Once you've done that, press **Update** to complete the required configuration.
+
+   </Step>
+   <Step title="Enable OIDC SSO in Infisical">
+      Enabling OIDC SSO allows members in your organization to log into Infisical via Keycloak.
+
+      ![OIDC keycloak enable OIDC](../../../images/sso/keycloak-oidc/enable-oidc.png)
+
+   </Step>
+</Steps>
+
+<Note>
+  If you're configuring OIDC SSO on a self-hosted instance of Infisical, make
+  sure to set the `AUTH_SECRET` and `SITE_URL` environment variable for it to
+  work: - `AUTH_SECRET`: A secret key used for signing and verifying JWT. This
+  can be a random 32-byte base64 string generated with `openssl rand -base64
+  32`. - `SITE_URL`: The URL of your self-hosted instance of Infisical - should
+  be an absolute URL including the protocol (e.g. https://app.infisical.com)
+</Note>

docs/documentation/platform/sso/overview.mdx

@@ -13,7 +13,7 @@ description: "Learn how to log in to Infisical via SSO protocols."
   with any questions, please reach out to [email protected].
 </Info>
 
-You can configure your organization in Infisical to have members authenticate with the platform via protocols like [SAML 2.0](https://en.wikipedia.org/wiki/SAML_2.0).
+You can configure your organization in Infisical to have members authenticate with the platform via protocols like [SAML 2.0](https://en.wikipedia.org/wiki/SAML_2.0) or [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html).
 
 To note, Infisical's SSO implementation decouples the **authentication** and **decryption** steps – which implies that no
 Identity Provider can have access to the decryption key needed to decrypt your secrets (this also implies that Infisical requires entering the user's Master Password on top of authenticating with SSO).
@@ -30,6 +30,7 @@ Infisical supports these and many other identity providers:
 - [JumpCloud SAML](/documentation/platform/sso/jumpcloud)
 - [Keycloak SAML](/documentation/platform/sso/keycloak-saml)
 - [Google SAML](/documentation/platform/sso/google-saml)
+- [Keycloak OIDC](/documentation/platform/sso/keycloak-oidc)
 
 If your required identity provider is not shown in the list above, please reach out to [[email protected]](mailto:[email protected]) for assistance.
 

docs/mint.json

@@ -178,7 +178,8 @@
             "documentation/platform/sso/azure",
             "documentation/platform/sso/jumpcloud",
             "documentation/platform/sso/keycloak-saml",
-            "documentation/platform/sso/google-saml"
+            "documentation/platform/sso/google-saml",
+            "documentation/platform/sso/keycloak-oidc"
           ]
         },
         {