Keycloak-Based Single Sign-On Implementation with QR Code Authentication Using OIDC PKCE
Downloads
Regional government digital services face critical challenges in centralized identity management, including authentication inefficiency across multiple devices, lack of institutionally branded interfaces, and the absence of a self-service account management dashboard for civil servants. This study develops PemdaSSO, a Keycloak-based Single Sign-On system, by integrating a password less QR Code authentication feature via a custom Service Provider Interface extension, combined with the OpenID Connect Authorization Code Flow protocol secured with Proof Key for Code Exchange on a React JS Single Page Application dashboard, deployed at the Department of Communication and Information Technology of the Special Region of Yogyakarta. Methods: The system employs a three-tier architecture deployed via Docker Compose, comprising Keycloak as the Identity Provider, React JS as the Single Page Application frontend, Node.js as the backend API, PostgreSQL as the database, and MinIO as object storage. Black Box Testing was conducted on 59 test scenarios across 11 functional categories in accordance with ISO/IEC 25010 functional suitability criteria. The testing yielded a 100% pass rate. The implemented single-use token mechanism with a 30-second expiration directly mitigates the Reusable QrId and Unbound SessionId vulnerabilities identified in prior literature, while Proof Key for Code Exchange protects the Single Page Application from authorization code interception attacks. Compared to national-scale e-government Single Sign-On implementations relying on physical X.509 certificates, this approach is lighter, hardware-independent, and better suited to the mobility requirements of regional government personnel, thereby addressing a gap in the literature on modern Single Sign-On security implementation at the local government level.
Al Rahat, T., Feng, Y., & Tian, Y. (2024). AuthSaber : Automated Safety Verification of OpenID Connect Programs. Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, 2949–2962. https://doi.org/10.1145/3658644.3670318
Bunn, C. D. S. (2024). Evaluating Performance Impacts in Identity Management Based on Keycloak and OpenID Connect.
Clarke, N., & Furnell, S. (2026). Usable authentication: Are we there yet? Computers & Security, 162, 104823. https://doi.org/10.1016/j.cose.2025.104823
Divyabharathi, D. N., & Cholli, N. G. (2020). A Review on Identity and Access Management Server (KeyCloak). International Journal of Electrical and Power Engineering, 14(2), 17–22.
Hardt, D. (2012). The OAuth 2.0 Authorization Framework (Issue 6749).
Hermawan, W. (2023). Single Sign On Using Keycloak Integrated Public Key Infrastructure for User Authentication In Indonesia’s Electronic Based Government System. Advance Sustainable Science Engineering and Technology, 5(2), 0230204. https://doi.org/10.26877/asset.v5i2.15795
Jaswanth Alahari, Dasaiah Pakanati, Harshita Cherukuri, Om Goel, & Prof.(Dr.) Arpit Jain. (2023). Best Practices for Integrating OAuth in Mobile Applications for Secure Authentication. Universal Research Reports, 10(4), 385–401. https://doi.org/10.36676/urr.v10.i4.1354
Juwara, M. M., & P Nyeleker, K. (2026). The Challenges of Implementing E-government in the Public Sector: A Case Study on The Gambia. Journal of Governance Innovation, 7(2), 454–475. https://doi.org/10.36636/jogiv.v7i2.7197
Kinasih, S. A., Sahputra, R., & Anwar, C. (2026). Functional Suitability Testing of Web-Based Warehouse Inventory Application Using Black Box Testing. Ambidextrous Journal of Innovation Efficiency and Technology in Organization, 3(02), 138–154. https://doi.org/10.61536/ambidextrous.v3i02.391
Manimaran, P., Garrett, T., Jehl, L., & Vitenberg, R. (2025). Decentralization trends in identity management: From federated to Self-Sovereign Identity Management Systems. Computer Science Review, 58, 100776. https://doi.org/10.1016/j.cosrev.2025.100776
Meliala, R. J., Anggraeni, A., Holik, W., Manik, J. S. R., Hakim, G. J. P., Mindara, G. P., & Wicaksono, A. (2024). Web-Based Financial Information System Testing of PT Perta Sakti Abadi Using the Black Box Testing Method. International Journal of Computer Technology and Science, 2(1), 58–66. https://doi.org/10.62951/ijcts.v2i1.129
Mitra, A., & Ghosh, A. (2024). FIDO2: A comprehensive study on passwordless authentication. International Journal of Engineering Research and Applications, 14(7), 58–63. https://doi.org/10.9790/9622-14075863
Naghmouchi, M., Laurent, M., Levallois-Barth, C., & Kaaniche, N. (2025). Perspectives on National Digital Identity Systems. Blockchain: Research and Applications, 100429. https://doi.org/10.1016/j.bcra.2025.100429
Owens, K., Anise, O., Krauss, A., & Ur, B. (2021, August). User Perceptions of the Usability and Security of Smartphones as FIDO2 Roaming Authenticators. Proceedings of the Seventeenth Symposium on Usable Privacy and Security (SOUPS).
Pandey, P., & Nisha, T. N. (2021). Challenges in Single Sign-On. Journal of Physics: Conference Series, 1964(4), 042016. https://doi.org/10.1088/1742-6596/1964/4/042016
Sakimura, N., Bradley, J., & Agarwal, N. (2015). Proof Key for Code Exchange by OAuth Public Clients (Issue 7636).
Shabi, M. Al, & Marie, R. R. (2024). Analyzing Privacy Implications and Security Vulnerabilities in Single Sign-On Systems: A Case Study on OpenID Connect. International Journal of Advanced Computer Science and Applications, 15(4). https://doi.org/10.14569/IJACSA.2024.0150465
Sharif, A., Carbone, R., Sciarretta, G., & Ranise, S. (2022). Best current practices for OAuth/OIDC Native Apps: A study of their adoption in popular providers and top-ranked Android clients. Journal of Information Security and Applications, 65, 103097.
Sousa, B., & Gonçalves, C. (2024). FedAAA-SDN: Federated Authentication, Authorization and Accounting in SDN controllers. Computer Networks, 239, 110130. https://doi.org/10.1016/j.comnet.2023.110130
Supangkat, S. H., Firmansyah, H. S., Rizkia, I., & Kinanda, R. (2025). Challenges in Implementing Cross-Border Digital Identity Systems for Global Public Infrastructure: A Comprehensive Analysis. IEEE Access, 13, 42083–42098. https://doi.org/10.1109/ACCESS.2025.3547373
Tran-Truong, P. T., Pham, M. Q., Son, H. X., Nguyen, D. L. T., Nguyen, M. B., Tran, K. L., Van, L. C. P., Le, K. T., Vo, K. H., Kim, N. N. T., Nguyen, T. M., & Nguyen, A. T. (2025). A systematic review of multi-factor authentication in digital payment systems: NIST standards alignment and industry implementation analysis. Journal of Systems Architecture, 162, 103402. https://doi.org/10.1016/j.sysarc.2025.103402
Vereau Jacobo, E. W. (2025). Evaluation of Keycloak as an Identity Server Versus Commercial Solutions in Multiplatform Organizations. Proceedings of the 5th LACCEI International Multiconference on Entrepreneurship, Innovation and Regional Development (LEIRD).
Yusop, M. I. M., Kamarudin, N. H., Suhaimi, N. H. S., & Hasan, M. K. (2025). Advancing Passwordless Authentication: A Systematic Review of Methods, Challenges, and Future Directions for Secure User Identity. IEEE Access, 13, 13919–13943. https://doi.org/10.1109/ACCESS.2025.3528960
Zhang, X., & others. (2025, August). Demystifying the (In)Security of QR Code-based Login in Real-world Deployments. Proceedings of the 34th USENIX Security Symposium.
Zineddine, A., Belfaik, Y., Rehaimi, A., Sadqi, Y., & Safi, S. (2025). Single Sign-On Security and Privacy: A Systematic Literature Review. Computers, Materials & Continua, 84(3), 4019–4054. https://doi.org/10.32604/cmc.2025.066139
Copyright (c) 2026 Arvin Demas Naryama, Budi Suyanto
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
