From 879f6b57148a83c264be52d0149f87c8ceba630f Mon Sep 17 00:00:00 2001
From: Jason Sherman <tools@usingtechnolo.gy>
Date: Mon, 26 Feb 2024 09:57:02 -0800
Subject: [PATCH] SSO - standard realm updates remove keycloak from API,
 replace with jwt verification only. token to user mapping now in
 configuration not in keycloak. frontend keycloak configuration changes
 slightly (no resource_access). no user role.

Signed-off-by: Jason Sherman <tools@usingtechnolo.gy>
---
 app/app.js                                    |  22 ++-
 app/config/custom-environment-variables.json  |  13 +-
 app/config/default.json                       |  14 +-
 .../src/components/base/BaseSecure.vue        |  59 ++----
 .../src/components/bcgov/BCGovNavBar.vue      |   2 +-
 .../src/components/designer/FormsTable.vue    |   2 +-
 .../designer/settings/FormAccessSettings.vue  |  11 +-
 .../settings/FormFunctionalitySettings.vue    |   2 +-
 .../src/components/forms/SubmissionsTable.vue |   2 +-
 .../components/forms/manage/AddTeamMember.vue |   4 +-
 .../forms/manage/TeamManagement.vue           |   7 +-
 .../submission/ManageSubmissionUsers.vue      |   6 +-
 app/frontend/src/main.js                      |  10 +-
 app/frontend/src/store/auth.js                |  40 ++--
 app/frontend/src/store/identityProviders.js   |  41 +++-
 app/frontend/src/utils/permissionUtils.js     |   6 +-
 app/frontend/src/views/Login.vue              |   8 +-
 .../components/base/BaseAuthButton.spec.js    |   8 +-
 .../unit/components/base/BaseSecure.spec.js   |  53 +----
 .../unit/components/bcgov/BCGovNavBar.spec.js |  12 +-
 .../unit/fixtures/identityProviders.json      |   4 +-
 .../unit/store/modules/auth.actions.spec.js   |   9 +-
 .../unit/store/modules/auth.getters.spec.js   |  67 ++-----
 .../tests/unit/utils/permissionUtils.spec.js  |   2 +-
 app/frontend/tests/unit/views/Login.spec.js   |   4 +-
 app/package-lock.json                         | 187 ++----------------
 app/package.json                              |   2 +-
 app/src/components/idpService.js              | 169 ++++++++++++++++
 app/src/components/jwtService.js              | 100 ++++++++++
 app/src/components/keycloak.js                |  19 --
 ...119172630_identity_provider_permissions.js |  48 +++++
 app/src/forms/admin/routes.js                 |   5 +-
 app/src/forms/auth/middleware/userAccess.js   | 144 ++++++++++----
 app/src/forms/auth/service.js                 |  57 ++----
 app/src/forms/common/constants.js             |  11 --
 .../common/models/tables/identityProvider.js  |   6 +
 app/src/forms/common/models/tables/user.js    |   5 +-
 app/src/forms/form/routes.js                  |   5 +-
 app/src/forms/permission/routes.js            |   5 +-
 app/src/forms/rbac/routes.js                  |   9 +-
 app/src/forms/rbac/service.js                 |  16 +-
 app/src/forms/role/routes.js                  |  11 +-
 app/src/forms/user/routes.js                  |   4 +-
 app/src/forms/user/service.js                 |  28 +--
 app/tests/unit/forms/auth/authService.spec.js |  15 +-
 .../forms/auth/middleware/userAccess.spec.js  |  83 +++++---
 app/tests/unit/forms/user/service.spec.js     |   3 +
 app/tests/unit/routes/v1/admin.spec.js        |   4 +-
 app/tests/unit/routes/v1/form.spec.js         |   4 +-
 app/tests/unit/routes/v1/permission.spec.js   |   4 +-
 app/tests/unit/routes/v1/rbac.spec.js         |   4 +-
 app/tests/unit/routes/v1/role.spec.js         |   4 +-
 app/tests/unit/routes/v1/user.spec.js         |   4 +-
 53 files changed, 749 insertions(+), 615 deletions(-)
 create mode 100644 app/src/components/idpService.js
 create mode 100644 app/src/components/jwtService.js
 delete mode 100755 app/src/components/keycloak.js

diff --git a/app/app.js b/app/app.js
index f960debc5..e2e202789 100644
--- a/app/app.js
+++ b/app/app.js
@@ -5,7 +5,6 @@ const path = require('path');
 const Problem = require('api-problem');
 const querystring = require('querystring');
 
-const keycloak = require('./src/components/keycloak');
 const log = require('./src/components/log')(module.filename);
 const httpLogger = require('./src/components/log').httpLogger;
 const middleware = require('./src/forms/common/middleware');
@@ -40,9 +39,6 @@ if (process.env.NODE_ENV !== 'test') {
   app.use(httpLogger);
 }
 
-// Use Keycloak OIDC Middleware
-app.use(keycloak.middleware());
-
 // Block requests until service is ready
 app.use((_req, res, next) => {
   if (state.shutdown) {
@@ -178,11 +174,16 @@ function initializeConnections() {
     .then((results) => {
       state.connections.data = results[0];
 
-      if (state.connections.data) log.info('DataConnection Reachable', { function: 'initializeConnections' });
+      if (state.connections.data)
+        log.info('DataConnection Reachable', {
+          function: 'initializeConnections',
+        });
     })
     .catch((error) => {
       log.error(`Initialization failed: Database OK = ${state.connections.data}`, { function: 'initializeConnections' });
-      log.error('Connection initialization failure', error.message, { function: 'initializeConnections' });
+      log.error('Connection initialization failure', error.message, {
+        function: 'initializeConnections',
+      });
       if (!state.ready) {
         process.exitCode = 1;
         shutdown();
@@ -191,7 +192,9 @@ function initializeConnections() {
     .finally(() => {
       state.ready = Object.values(state.connections).every((x) => x);
       if (state.ready) {
-        log.info('Service ready to accept traffic', { function: 'initializeConnections' });
+        log.info('Service ready to accept traffic', {
+          function: 'initializeConnections',
+        });
         // Start periodic 10 second connection probe check
         probeId = setInterval(checkConnections, 10000);
       }
@@ -211,7 +214,10 @@ function checkConnections() {
     Promise.all(tasks).then((results) => {
       state.connections.data = results[0];
       state.ready = Object.values(state.connections).every((x) => x);
-      if (!wasReady && state.ready) log.info('Service ready to accept traffic', { function: 'checkConnections' });
+      if (!wasReady && state.ready)
+        log.info('Service ready to accept traffic', {
+          function: 'checkConnections',
+        });
       log.verbose(state);
       if (!state.ready) {
         process.exitCode = 1;
diff --git a/app/config/custom-environment-variables.json b/app/config/custom-environment-variables.json
index ca034709e..06d1c82b6 100755
--- a/app/config/custom-environment-variables.json
+++ b/app/config/custom-environment-variables.json
@@ -35,7 +35,8 @@
     "keycloak": {
       "clientId": "FRONTEND_KC_CLIENTID",
       "realm": "FRONTEND_KC_REALM",
-      "serverUrl": "FRONTEND_KC_SERVERURL"
+      "serverUrl": "FRONTEND_KC_SERVERURL",
+      "logoutUrl": "FRONTEND_KC_LOGOUTURL"
     }
   },
   "server": {
@@ -43,11 +44,11 @@
     "basePath": "SERVER_BASEPATH",
     "bodyLimit": "SERVER_BODYLIMIT",
     "keycloak": {
-      "clientId": "SERVER_KC_CLIENTID",
-      "clientSecret": "SERVER_KC_CLIENTSECRET",
-      "publicKey": "SERVER_KC_PUBLICKEY",
-      "realm": "SERVER_KC_REALM",
-      "serverUrl": "SERVER_KC_SERVERURL"
+      "serverUrl": "SERVER_KC_SERVERURL",
+      "jwksUri": "SERVER_KC_JWKSURI",
+      "issuer": "SERVER_KC_ISSUER",
+      "audience": "SERVER_KC_AUDIENCE",
+      "maxTokenAge": "SERVER_KC_MAXTOKENAGE"
     },
     "logFile": "SERVER_LOGFILE",
     "logLevel": "SERVER_LOGLEVEL",
diff --git a/app/config/default.json b/app/config/default.json
index 3fadfbf56..99bb82950 100644
--- a/app/config/default.json
+++ b/app/config/default.json
@@ -32,8 +32,9 @@
     "basePath": "/app",
     "keycloak": {
       "clientId": "chefs-frontend",
-      "realm": "chefs",
-      "serverUrl": "https://dev.loginproxy.gov.bc.ca/auth"
+      "realm": "standard",
+      "serverUrl": "https://dev.loginproxy.gov.bc.ca/auth",
+      "logoutUrl": "https://logon7.gov.bc.ca/clp-cgi/logoff.cgi?retnow=1&returl=https%3A%2F%2Fdev.loginproxy.gov.bc.ca%2Fauth%2Frealms%2Fstandard%2Fprotocol%2Fopenid-connect%2Flogout%3Fpost_logout_redirect_uri%3Dhttp%3A%2F%2Flocalhost%3A5173%2Fapp%26client_id%3Dchefs-frontend"
     }
   },
   "server": {
@@ -41,9 +42,12 @@
     "basePath": "/app",
     "bodyLimit": "30mb",
     "keycloak": {
-      "clientId": "chefs",
-      "realm": "chefs",
-      "serverUrl": "https://dev.loginproxy.gov.bc.ca/auth"
+      "realm": "standard",
+      "serverUrl": "https://dev.loginproxy.gov.bc.ca/auth",
+      "jwksUri": "https://dev.loginproxy.gov.bc.ca/auth/realms/standard/protocol/openid-connect/certs",
+      "issuer": "https://dev.loginproxy.gov.bc.ca/auth/realms/standard",
+      "audience": "chefs-frontend",
+      "maxTokenAge": "300"
     },
     "logLevel": "http",
     "port": "8080",
diff --git a/app/frontend/src/components/base/BaseSecure.vue b/app/frontend/src/components/base/BaseSecure.vue
index f4ee5e424..d75aa7761 100755
--- a/app/frontend/src/components/base/BaseSecure.vue
+++ b/app/frontend/src/components/base/BaseSecure.vue
@@ -20,7 +20,6 @@ export default {
       'authenticated',
       'identityProvider',
       'isAdmin',
-      'isUser',
       'ready',
     ]),
     ...mapState(useFormStore, ['lang']),
@@ -44,48 +43,32 @@ export default {
 
 <template>
   <div v-if="authenticated">
-    <div v-if="isUser">
-      <div v-if="admin && !isAdmin" class="text-center">
-        <h1 class="my-8" :lang="lang">
-          {{ $t('trans.baseSecure.401UnAuthorized') }}
-        </h1>
-        <p :lang="lang">
-          {{ $t('trans.baseSecure.401UnAuthorizedErrMsg') }}
-        </p>
-      </div>
-      <div
-        v-else-if="permission && !hasPermission(identityProvider, permission)"
-        class="text-center"
-      >
-        <h1 class="my-8" :lang="lang">
-          {{ $t('trans.baseSecure.403Forbidden') }}
-        </h1>
-        <p :lang="lang">
-          {{
-            $t('trans.baseSecure.403ErrorMsg', {
-              idp: permission,
-            })
-          }}
-        </p>
-      </div>
-      <slot v-else />
-    </div>
-    <!-- TODO: Figure out better way to alert when user lacks chefs user role -->
-    <div v-else class="text-center">
+    <div v-if="admin && !isAdmin" class="text-center">
       <h1 class="my-8" :lang="lang">
         {{ $t('trans.baseSecure.401UnAuthorized') }}
       </h1>
-      <p>
-        <span :lang="lang" v-html="$t('trans.baseSecure.401ErrorMsg')"> </span>
-        <a :href="mailToLink">{{ contactInfo }}</a>
+      <p :lang="lang">
+        {{ $t('trans.baseSecure.401UnAuthorizedErrMsg') }}
+      </p>
+    </div>
+    <div
+      v-else-if="
+        permission && !hasPermission(identityProvider?.code, permission)
+      "
+      class="text-center"
+    >
+      <h1 class="my-8" :lang="lang">
+        {{ $t('trans.baseSecure.403Forbidden') }}
+      </h1>
+      <p :lang="lang">
+        {{
+          $t('trans.baseSecure.403ErrorMsg', {
+            idp: permission,
+          })
+        }}
       </p>
-      <router-link :to="{ name: 'About' }">
-        <v-btn color="primary" class="about-btn" size="large">
-          <v-icon start icon="mdi:mdi-home"></v-icon>
-          <span :lang="lang">{{ $t('trans.baseSecure.about') }}</span>
-        </v-btn>
-      </router-link>
     </div>
+    <slot v-else />
   </div>
   <div v-else class="text-center">
     <h1 class="my-8" :lang="lang">
diff --git a/app/frontend/src/components/bcgov/BCGovNavBar.vue b/app/frontend/src/components/bcgov/BCGovNavBar.vue
index a3a6a30c7..ea88d5322 100755
--- a/app/frontend/src/components/bcgov/BCGovNavBar.vue
+++ b/app/frontend/src/components/bcgov/BCGovNavBar.vue
@@ -19,7 +19,7 @@ export default {
       return this.$route && this.$route.meta && this.$route.meta.formSubmitMode;
     },
     hasPrivileges() {
-      return this.isPrimary(this.identityProvider);
+      return this.isPrimary(this.identityProvider?.code);
     },
   },
 };
diff --git a/app/frontend/src/components/designer/FormsTable.vue b/app/frontend/src/components/designer/FormsTable.vue
index c55cf7af8..606e781f8 100644
--- a/app/frontend/src/components/designer/FormsTable.vue
+++ b/app/frontend/src/components/designer/FormsTable.vue
@@ -45,7 +45,7 @@ export default {
       ];
     },
     canCreateForm() {
-      return this.isPrimary(this.user.idp);
+      return this.isPrimary(this.user.idp?.code);
     },
     filteredFormList() {
       return this.formList.filter(
diff --git a/app/frontend/src/components/designer/settings/FormAccessSettings.vue b/app/frontend/src/components/designer/settings/FormAccessSettings.vue
index f89c163aa..896193b9f 100644
--- a/app/frontend/src/components/designer/settings/FormAccessSettings.vue
+++ b/app/frontend/src/components/designer/settings/FormAccessSettings.vue
@@ -35,6 +35,11 @@ export default {
       return IdentityMode;
     },
   },
+  mounted() {
+    if (this.form?.idps && this.form.idps.length) {
+      this.idpType = this.form.idps[0];
+    }
+  },
   methods: {
     userTypeChanged() {
       // if they checked enable drafts then went back to public, uncheck it
@@ -129,12 +134,12 @@ export default {
           >
             <v-radio
               v-for="button in loginButtons"
-              :key="button.type"
-              :value="button.type"
+              :key="button.code"
+              :value="button.code"
               class="mx-2"
             >
               <template #label>
-                <span :class="{ 'mr-2': isRTL }"> {{ button.label }} </span>
+                <span :class="{ 'mr-2': isRTL }"> {{ button.display }} </span>
               </template>
             </v-radio>
             <!-- Mandatory BCeID process notification -->
diff --git a/app/frontend/src/components/designer/settings/FormFunctionalitySettings.vue b/app/frontend/src/components/designer/settings/FormFunctionalitySettings.vue
index 83b7e7575..f88606501 100644
--- a/app/frontend/src/components/designer/settings/FormFunctionalitySettings.vue
+++ b/app/frontend/src/components/designer/settings/FormFunctionalitySettings.vue
@@ -31,7 +31,7 @@ export default {
       return IdentityMode;
     },
     primaryIdpUser() {
-      return this.isPrimary(this.identityProvider);
+      return this.isPrimary(this.identityProvider?.code);
     },
   },
   methods: {
diff --git a/app/frontend/src/components/forms/SubmissionsTable.vue b/app/frontend/src/components/forms/SubmissionsTable.vue
index 37ac641dd..726ba7487 100644
--- a/app/frontend/src/components/forms/SubmissionsTable.vue
+++ b/app/frontend/src/components/forms/SubmissionsTable.vue
@@ -427,7 +427,7 @@ export default {
         }),
         deletedOnly: this.deletedOnly,
         createdBy: this.currentUserOnly
-          ? `${this.user.username}@${this.user.idp}`
+          ? `${this.user.username}@${this.user.idp?.code}`
           : '',
       };
       await this.fetchSubmissions(criteria);
diff --git a/app/frontend/src/components/forms/manage/AddTeamMember.vue b/app/frontend/src/components/forms/manage/AddTeamMember.vue
index ffdca0759..5aca02522 100644
--- a/app/frontend/src/components/forms/manage/AddTeamMember.vue
+++ b/app/frontend/src/components/forms/manage/AddTeamMember.vue
@@ -174,8 +174,8 @@ export default {
               >
                 <v-radio
                   v-for="button in loginButtons"
-                  :key="button.type"
-                  :value="button.type"
+                  :key="button.code"
+                  :value="button.code"
                   :label="button.display"
                 />
               </v-radio-group>
diff --git a/app/frontend/src/components/forms/manage/TeamManagement.vue b/app/frontend/src/components/forms/manage/TeamManagement.vue
index 777bfa49b..342ffe613 100644
--- a/app/frontend/src/components/forms/manage/TeamManagement.vue
+++ b/app/frontend/src/components/forms/manage/TeamManagement.vue
@@ -123,6 +123,7 @@ export default {
   methods: {
     ...mapActions(useFormStore, ['fetchForm', 'getFormPermissionsForUser']),
     ...mapActions(useNotificationStore, ['addNotification']),
+    ...mapActions(useIdpStore, ['findByCode']),
     async loadItems() {
       this.loading = true;
 
@@ -162,7 +163,7 @@ export default {
           roles: '*',
         });
         this.formUsers = formUsersResponse?.data?.map((user) => {
-          user.idp = user.user_idpCode;
+          user.idp = this.findByCode(user.user_idpCode);
           return user;
         });
       } catch (error) {
@@ -185,7 +186,7 @@ export default {
           fullName: user.fullName,
           userId: user.userId,
           username: user.username,
-          identityProvider: user.idp,
+          identityProvider: user.idp?.code,
         };
         this.roleList
           .map((role) => role.code)
@@ -201,7 +202,7 @@ export default {
       )
         return true;
       // if the header isn't in the IDPs roles, then disable
-      const idpRoles = this.listRoles(user.identityProvider);
+      const idpRoles = this.listRoles(user.identityProvider?.code);
       return idpRoles && !idpRoles.includes(header);
     },
 
diff --git a/app/frontend/src/components/forms/submission/ManageSubmissionUsers.vue b/app/frontend/src/components/forms/submission/ManageSubmissionUsers.vue
index 8f3b699d3..557b8a97a 100644
--- a/app/frontend/src/components/forms/submission/ManageSubmissionUsers.vue
+++ b/app/frontend/src/components/forms/submission/ManageSubmissionUsers.vue
@@ -58,7 +58,7 @@ export default {
       if (!input) return;
       this.isLoadingDropdown = true;
       try {
-        // The form's IDP (only support 1 at a time right now), blank is 'team' and should be IDIR
+        // The form's IDP (only support 1 at a time right now), blank is 'team' and should be Primary
         let params = {};
         params.idpCode = this.selectedIdp;
         let teamMembershipConfig = this.teamMembershipSearch(this.selectedIdp);
@@ -242,8 +242,8 @@ export default {
           <v-radio-group v-if="isDraft" v-model="selectedIdp" inline>
             <v-radio
               v-for="button in loginButtons"
-              :key="button.type"
-              :value="button.type"
+              :key="button.code"
+              :value="button.code"
               :label="button.display"
             />
           </v-radio-group>
diff --git a/app/frontend/src/main.js b/app/frontend/src/main.js
index bd0d67ca1..cfb257330 100755
--- a/app/frontend/src/main.js
+++ b/app/frontend/src/main.js
@@ -140,7 +140,8 @@ async function loadConfig() {
       !config.keycloak ||
       !config.keycloak.clientId ||
       !config.keycloak.realm ||
-      !config.keycloak.serverUrl
+      !config.keycloak.serverUrl ||
+      !config.keycloak.logoutUrl
     ) {
       throw new Error('Keycloak is misconfigured');
     }
@@ -165,7 +166,7 @@ function loadKeycloak(config) {
   };
 
   const options = Object.assign({}, defaultParams, {
-    init: { onLoad: 'check-sso' },
+    init: { pkceMethod: 'S256', checkLoginIframe: false, onLoad: 'check-sso' },
     config: {
       clientId: config.keycloak.clientId,
       realm: config.keycloak.realm,
@@ -188,6 +189,7 @@ function loadKeycloak(config) {
       const ctor = sanitizeConfig(cfg);
 
       const authStore = useAuthStore();
+      authStore.logoutUrl = config.keycloak.logoutUrl;
 
       keycloak = new Keycloak(ctor);
       keycloak.onReady = (authenticated) => {
@@ -207,9 +209,7 @@ function loadKeycloak(config) {
         );
         authStore.logoutFn = () => {
           clearInterval(updateTokenInterval);
-          keycloak.logout(
-            options.logout || { redirectUri: config['logoutRedirectUri'] }
-          );
+          authStore.updateKeycloak(keycloak, false);
         };
       };
       keycloak.onAuthRefreshSuccess = () => {
diff --git a/app/frontend/src/store/auth.js b/app/frontend/src/store/auth.js
index 374cc7765..56aa4f7ba 100644
--- a/app/frontend/src/store/auth.js
+++ b/app/frontend/src/store/auth.js
@@ -21,12 +21,11 @@ export const useAuthStore = defineStore('auth', {
     redirectUri: undefined,
     ready: false,
     authenticated: false,
+    logoutUrl: undefined,
   }),
   getters: {
     createLoginUrl: (state) => (options) =>
       state.keycloak.createLoginUrl(options),
-    createLogoutUrl: (state) => (options) =>
-      state.keycloak.createLogoutUrl(options),
     email: (state) =>
       state.keycloak.tokenParsed ? state.keycloak.tokenParsed.email : '',
     fullName: (state) => state.keycloak.tokenParsed.name,
@@ -35,38 +34,44 @@ export const useAuthStore = defineStore('auth', {
      * @returns (T/F) Whether the state has the required roles
      */
     hasResourceRoles: (state) => {
-      return (resource, roles) => {
+      return (roles) => {
         if (!state.authenticated) return false;
         if (!roles.length) return true; // No roles to check against
 
-        if (state.resourceAccess && state.resourceAccess[resource]) {
-          return hasRoles(state.resourceAccess[resource].roles, roles);
+        if (state.resourceAccess) {
+          return hasRoles(state.resourceAccess, roles);
         }
         return false; // There are roles to check, but nothing in token to check against
       };
     },
-    identityProvider: (state) =>
-      state.keycloak.tokenParsed
-        ? state.keycloak.tokenParsed.identity_provider
-        : null,
-    isAdmin: (state) => state.hasResourceRoles('chefs', ['admin']),
-    isUser: (state) => state.hasResourceRoles('chefs', ['user']),
+    identityProvider: (state) => {
+      const idpStore = useIdpStore();
+      return state.keycloak.tokenParsed
+        ? idpStore.findByHint(state.tokenParsed.identity_provider)
+        : null;
+    },
+    isAdmin: (state) => state.hasResourceRoles(['admin']),
     keycloakSubject: (state) => state.keycloak.subject,
     identityProviderIdentity: (state) => state.keycloak.tokenParsed.idp_userid,
     moduleLoaded: (state) => !!state.keycloak,
     realmAccess: (state) => state.keycloak.tokenParsed.realm_access,
-    resourceAccess: (state) => state.keycloak.tokenParsed.resource_access,
+    resourceAccess: (state) => state.keycloak.tokenParsed.client_roles,
     token: (state) => state.keycloak.token,
     tokenParsed: (state) => state.keycloak.tokenParsed,
     userName: (state) => state.keycloak.tokenParsed.preferred_username,
     user: (state) => {
+      const idpStore = useIdpStore();
       const user = {
         username: '',
         firstName: '',
         lastName: '',
         fullName: '',
         email: '',
-        idp: 'public',
+        idp: {
+          code: 'public',
+          display: 'Public',
+          hint: 'public',
+        },
         public: !state.authenticated,
       };
       if (state.authenticated) {
@@ -79,7 +84,8 @@ export const useAuthStore = defineStore('auth', {
         user.lastName = state.tokenParsed.family_name;
         user.fullName = state.tokenParsed.name;
         user.email = state.tokenParsed.email;
-        user.idp = state.tokenParsed.identity_provider;
+        const idp = idpStore.findByHint(state.tokenParsed.identity_provider);
+        user.idp = idp;
       }
 
       return user;
@@ -117,11 +123,7 @@ export const useAuthStore = defineStore('auth', {
     },
     logout() {
       if (this.ready) {
-        window.location.replace(
-          this.createLogoutUrl({
-            redirectUri: location.origin,
-          })
-        );
+        window.location.assign(this.logoutUrl);
       }
     },
   },
diff --git a/app/frontend/src/store/identityProviders.js b/app/frontend/src/store/identityProviders.js
index d6b6b5cd0..03301d5ba 100644
--- a/app/frontend/src/store/identityProviders.js
+++ b/app/frontend/src/store/identityProviders.js
@@ -11,8 +11,9 @@ export const useIdpStore = defineStore('idps', {
         for (const p of state.providers) {
           if (p.login) {
             result.push({
-              label: p.display,
-              type: p.code,
+              code: p.code,
+              display: p.display,
+              hint: p.idp,
             });
           }
         }
@@ -24,7 +25,7 @@ export const useIdpStore = defineStore('idps', {
       if (state.providers) {
         for (const p of state.providers) {
           if (p.login) {
-            result.push(p.code);
+            result.push(p.idp);
           }
         }
       }
@@ -47,9 +48,9 @@ export const useIdpStore = defineStore('idps', {
       }
       return false;
     },
-    isValidIdp(code) {
-      if (code && this.providers) {
-        return this.providers.findIndex((x) => x.code === code) > -1;
+    isValidIdpHint(hint) {
+      if (hint && this.providers) {
+        return this.providers.findIndex((x) => x.hint === hint) > -1;
       }
       return false;
     },
@@ -66,7 +67,7 @@ export const useIdpStore = defineStore('idps', {
     teamMembershipSearch(code) {
       if (code && this.providers) {
         const idp = this.providers.find(
-          (x) => x.code === code && idp.extra?.addTeamMemberSearch
+          (x) => x.code === code && x.extra?.addTeamMemberSearch
         );
         return idp ? idp.extra?.addTeamMemberSearch : null;
       }
@@ -110,5 +111,31 @@ export const useIdpStore = defineStore('idps', {
       }
       return undefined;
     },
+    findByCode(code) {
+      if (code && this.providers) {
+        const idp = this.providers.find((x) => x.code === code);
+        if (idp) {
+          return {
+            code: idp.code,
+            display: idp.display,
+            hint: idp.idp,
+          };
+        }
+      }
+      return undefined;
+    },
+    findByHint(hint) {
+      if (hint && this.providers) {
+        const idp = this.providers.find((x) => x.idp === hint);
+        if (idp) {
+          return {
+            code: idp.code,
+            display: idp.display,
+            hint: idp.idp,
+          };
+        }
+      }
+      return undefined;
+    },
   },
 });
diff --git a/app/frontend/src/utils/permissionUtils.js b/app/frontend/src/utils/permissionUtils.js
index e521377c8..16eda3719 100644
--- a/app/frontend/src/utils/permissionUtils.js
+++ b/app/frontend/src/utils/permissionUtils.js
@@ -87,7 +87,7 @@ export async function preFlightAuth(options = {}, next) {
   const getIdpHint = (values) => {
     return Array.isArray(values) && values.length ? values[0] : undefined;
   };
-  const isValidIdp = (value) => idpStore.isValidIdp(value);
+  const isValidIdpHint = (value) => idpStore.isValidIdpHint(value);
 
   // Determine current form or submission idpHint if available
   let idpHint = undefined;
@@ -136,7 +136,7 @@ export async function preFlightAuth(options = {}, next) {
 
     if (idpHint === IdentityMode.PUBLIC || !idpHint) {
       next(); // Permit navigation if public or team form
-    } else if (isValidIdp(idpHint) && userIdp === idpHint) {
+    } else if (isValidIdpHint(idpHint) && userIdp?.hint === idpHint) {
       next(); // Permit navigation if idps match
     } else {
       const msg = {
@@ -154,7 +154,7 @@ export async function preFlightAuth(options = {}, next) {
   } else {
     if (idpHint === IdentityMode.PUBLIC) {
       next(); // Permit navigation if public form
-    } else if (isValidIdp(idpHint)) {
+    } else if (isValidIdpHint(idpHint)) {
       authStore.login(idpHint); // Force login flow with specified idpHint
     } else {
       authStore.login(); // Force login flow with user choice
diff --git a/app/frontend/src/views/Login.vue b/app/frontend/src/views/Login.vue
index 4f2598a69..908e9a461 100644
--- a/app/frontend/src/views/Login.vue
+++ b/app/frontend/src/views/Login.vue
@@ -36,16 +36,16 @@ export default {
       <h1 class="my-6" :lang="lang">
         {{ $t('trans.login.authenticateWith') }}
       </h1>
-      <v-row v-for="button in loginButtons" :key="button.type" justify="center">
+      <v-row v-for="button in loginButtons" :key="button.code" justify="center">
         <v-col sm="3">
           <v-btn
             block
             color="primary"
             size="large"
-            :data-test="button.type"
-            @click="login(button.type)"
+            :data-test="button.code"
+            @click="login(button.hint)"
           >
-            {{ button.label }}
+            {{ button.display }}
           </v-btn>
         </v-col>
       </v-row>
diff --git a/app/frontend/tests/unit/components/base/BaseAuthButton.spec.js b/app/frontend/tests/unit/components/base/BaseAuthButton.spec.js
index d7f7b60ca..0cb3c64c0 100644
--- a/app/frontend/tests/unit/components/base/BaseAuthButton.spec.js
+++ b/app/frontend/tests/unit/components/base/BaseAuthButton.spec.js
@@ -16,7 +16,7 @@ describe('BaseAuthButton.vue', () => {
   const authStore = useAuthStore();
   const idpStore = useIdpStore();
   const router = getRouter();
-  const windowReplaceSpy = vi.spyOn(window.location, 'replace');
+  const windowReplaceSpy = vi.spyOn(window.location, 'assign');
   idpStore.providers = require('../../fixtures/identityProviders.json');
 
   beforeEach(async () => {
@@ -24,7 +24,6 @@ describe('BaseAuthButton.vue', () => {
     authStore.$reset();
     authStore.keycloak = {
       createLoginUrl: vi.fn((opts) => opts),
-      createLogoutUrl: vi.fn((opts) => opts),
     };
     router.currentRoute.value.meta.hasLogin = true;
     router.push('/');
@@ -104,6 +103,7 @@ describe('BaseAuthButton.vue', () => {
 
   it('logout button redirects to logout url', async () => {
     authStore.authenticated = true;
+    authStore.logoutUrl = location.origin;
     authStore.ready = true;
     const wrapper = mount(BaseAuthButton, {
       global: {
@@ -114,8 +114,6 @@ describe('BaseAuthButton.vue', () => {
     wrapper.vm.logout();
     expect(wrapper.text()).toMatch('trans.baseAuthButton.logout');
     expect(windowReplaceSpy).toHaveBeenCalledTimes(1);
-    expect(windowReplaceSpy).toHaveBeenCalledWith({
-      redirectUri: location.origin,
-    });
+    expect(windowReplaceSpy).toHaveBeenCalledWith(location.origin);
   });
 });
diff --git a/app/frontend/tests/unit/components/base/BaseSecure.spec.js b/app/frontend/tests/unit/components/base/BaseSecure.spec.js
index d60435ac9..585e4f3ca 100644
--- a/app/frontend/tests/unit/components/base/BaseSecure.spec.js
+++ b/app/frontend/tests/unit/components/base/BaseSecure.spec.js
@@ -33,11 +33,7 @@ describe('BaseSecure.vue', () => {
     authStore.ready = true;
     authStore.keycloak = {
       tokenParsed: {
-        resource_access: {
-          chefs: {
-            roles: ['user'],
-          },
-        },
+        client_roles: [],
         identity_provider: nonPrimaryIdp.code,
       },
     };
@@ -50,41 +46,16 @@ describe('BaseSecure.vue', () => {
     expect(wrapper.text()).toEqual('');
   });
 
-  it('renders a message if authenticated, not user', () => {
-    authStore.authenticated = true;
-    authStore.ready = true;
-    authStore.keycloak = {
-      tokenParsed: {
-        resource_access: {
-          chefs: {
-            roles: [],
-          },
-        },
-        identity_provider: nonPrimaryIdp.code,
-      },
-    };
-    const wrapper = mount(BaseSecure, {
-      global: {
-        plugins: [router, pinia],
-      },
-    });
-
-    expect(wrapper.text()).toContain('trans.baseSecure.401UnAuthorized');
-  });
-
   it('renders a message if admin required, not admin', () => {
     authStore.authenticated = true;
     authStore.ready = true;
     authStore.keycloak = {
       tokenParsed: {
-        resource_access: {
-          chefs: {
-            roles: ['user'],
-          },
-          identity_provider: nonPrimaryIdp.code,
+        client_roles: [],
+        identity_provider: nonPrimaryIdp.code,
         },
-      },
-    };
+      };
+
     const wrapper = mount(BaseSecure, {
       props: {
         admin: true,
@@ -102,11 +73,7 @@ describe('BaseSecure.vue', () => {
     authStore.ready = true;
     authStore.keycloak = {
       tokenParsed: {
-        resource_access: {
-          chefs: {
-            roles: ['user'],
-          },
-        },
+        client_roles: ['admin'],
         identity_provider: nonPrimaryIdp.code,
       },
     };
@@ -178,13 +145,9 @@ describe('BaseSecure.vue', () => {
     authStore.ready = true;
     authStore.keycloak = {
       tokenParsed: {
-        resource_access: {
-          chefs: {
-            roles: ['user'],
-          },
-          identity_provider: nonPrimaryIdp.code,
+          client_roles: [],
+          identity_provider: 'fake', //nonPrimaryIdp.code,
         },
-      },
     };
     const wrapper = mount(BaseSecure, {
       props: {
diff --git a/app/frontend/tests/unit/components/bcgov/BCGovNavBar.spec.js b/app/frontend/tests/unit/components/bcgov/BCGovNavBar.spec.js
index 2e0b3b502..a25ff9687 100644
--- a/app/frontend/tests/unit/components/bcgov/BCGovNavBar.spec.js
+++ b/app/frontend/tests/unit/components/bcgov/BCGovNavBar.spec.js
@@ -28,11 +28,7 @@ describe('BCGovNavBar.vue', () => {
     authStore.keycloak = {
       tokenParsed: {
         identity_provider: primaryIdp.code,
-        resource_access: {
-          chefs: {
-            roles: [],
-          },
-        },
+        client_roles: [],
       },
     };
     authStore.authenticated = true;
@@ -70,11 +66,7 @@ describe('BCGovNavBar.vue', () => {
     authStore.keycloak = {
       tokenParsed: {
         identity_provider: primaryIdp.code,
-        resource_access: {
-          chefs: {
-            roles: ['admin'],
-          },
-        },
+        client_roles: ['admin'],
       },
     };
     authStore.authenticated = true;
diff --git a/app/frontend/tests/unit/fixtures/identityProviders.json b/app/frontend/tests/unit/fixtures/identityProviders.json
index 3b757c0d7..827940877 100644
--- a/app/frontend/tests/unit/fixtures/identityProviders.json
+++ b/app/frontend/tests/unit/fixtures/identityProviders.json
@@ -36,7 +36,7 @@
         "code": "bceid-basic",
         "display": "Basic BCeID",
         "active": true,
-        "idp": "bceid-basic",
+        "idp": "bceidbasic",
         "createdBy": "migration-022",
         "createdAt": "2024-01-24T22:35:49.703Z",
         "updatedBy": null,
@@ -67,7 +67,7 @@
         "code": "bceid-business",
         "display": "Business BCeID",
         "active": true,
-        "idp": "bceid-business",
+        "idp": "bceidbusiness",
         "createdBy": "migration-022",
         "createdAt": "2024-01-24T22:35:49.703Z",
         "updatedBy": null,
diff --git a/app/frontend/tests/unit/store/modules/auth.actions.spec.js b/app/frontend/tests/unit/store/modules/auth.actions.spec.js
index 1e482b7e4..c007b993e 100644
--- a/app/frontend/tests/unit/store/modules/auth.actions.spec.js
+++ b/app/frontend/tests/unit/store/modules/auth.actions.spec.js
@@ -12,6 +12,7 @@ describe('auth actions', () => {
   let router = getRouter();
   const replaceSpy = vi.spyOn(router, 'replace');
   const windowReplaceSpy = vi.spyOn(window.location, 'replace');
+  const windowAssignSpy = vi.spyOn(window.location, 'assign');
   setActivePinia(createPinia());
   const mockStore = useAuthStore();
   const formStore = useFormStore();
@@ -101,23 +102,23 @@ describe('auth actions', () => {
       mockStore.$reset();
       mockStore.keycloak = {
         createLoginUrl: vi.fn(() => 'about:blank'),
-        createLogoutUrl: vi.fn(() => 'about:blank'),
       };
-      windowReplaceSpy.mockReset();
+      mockStore.logoutUrl = location.origin;
+      windowAssignSpy.mockReset();
     });
 
     it('should do nothing if keycloak is not ready', () => {
       mockStore.ready = false;
       mockStore.logout();
 
-      expect(windowReplaceSpy).toHaveBeenCalledTimes(0);
+      expect(windowAssignSpy).toHaveBeenCalledTimes(0);
     });
 
     it('should trigger navigation action if keycloak is ready', () => {
       mockStore.ready = true;
       mockStore.logout();
 
-      expect(windowReplaceSpy).toHaveBeenCalledTimes(1);
+      expect(windowAssignSpy).toHaveBeenCalledTimes(1);
     });
   });
 });
diff --git a/app/frontend/tests/unit/store/modules/auth.getters.spec.js b/app/frontend/tests/unit/store/modules/auth.getters.spec.js
index bf44fba17..89ecc6991 100755
--- a/app/frontend/tests/unit/store/modules/auth.getters.spec.js
+++ b/app/frontend/tests/unit/store/modules/auth.getters.spec.js
@@ -3,6 +3,7 @@ import { beforeEach, describe, expect, it } from 'vitest';
 import { createApp } from 'vue';
 
 import { useAuthStore } from '~/store/auth';
+import { useIdpStore } from '~/store/identityProviders';
 
 const zeroUuid = '00000000-0000-0000-0000-000000000000';
 const zeroGuid = '00000000000000000000000000000000';
@@ -14,14 +15,15 @@ describe('auth getters', () => {
   app.use(pinia);
   setActivePinia(pinia);
   const store = useAuthStore();
+  const idpStore = useIdpStore();
 
+  idpStore.providers = require('../../fixtures/identityProviders.json');
   beforeEach(() => {
     store.$reset();
     store.authenticated = true;
     store.ready = true;
     store.keycloak = {
       createLoginUrl: () => 'loginUrl',
-      createLogoutUrl: () => 'logoutUrl',
       fullName: 'fName',
       subject: zeroUuid,
       token: 'token',
@@ -34,11 +36,7 @@ describe('auth getters', () => {
         idp_userid: zeroGuid,
         preferred_username: 'johndoe',
         realm_access: {},
-        resource_access: {
-          chefs: {
-            roles: roles,
-          },
-        },
+        client_roles: roles,
       },
       userName: 'uName',
     };
@@ -54,12 +52,6 @@ describe('auth getters', () => {
     expect(store.createLoginUrl()).toMatch('loginUrl');
   });
 
-  it('createLogoutUrl should return a string', () => {
-    expect(store.createLogoutUrl).toBeTruthy();
-    expect(typeof store.createLogoutUrl).toBe('function');
-    expect(store.createLogoutUrl()).toMatch('logoutUrl');
-  });
-
   it('email should return a string', () => {
     expect(store.email).toBeTruthy();
     expect(store.email).toMatch('e@mail.com');
@@ -80,7 +72,7 @@ describe('auth getters', () => {
     store.authenticated = false;
 
     expect(store.authenticated).toBeFalsy();
-    expect(store.hasResourceRoles('app', roles)).toBeFalsy();
+    expect(store.hasResourceRoles(roles)).toBeFalsy();
   });
 
   it('hasResourceRoles should return true when checking no roles', () => {
@@ -88,7 +80,7 @@ describe('auth getters', () => {
     roles = [];
 
     expect(store.authenticated).toBeTruthy();
-    expect(store.hasResourceRoles('app', roles)).toBeTruthy();
+    expect(store.hasResourceRoles(roles)).toBeTruthy();
   });
 
   it('hasResourceRoles should return true when role exists', () => {
@@ -96,35 +88,31 @@ describe('auth getters', () => {
     roles = [];
 
     expect(store.authenticated).toBeTruthy();
-    expect(store.hasResourceRoles('app', roles)).toBeTruthy();
+    expect(store.hasResourceRoles(roles)).toBeTruthy();
   });
 
   it('hasResourceRoles should return false when resource does not exist', () => {
     store.authenticated = true;
     store.keycloak.tokenParsed = {
       realm_access: {},
-      resource_access: {},
+      client_roles: [],
     };
     roles = ['non-existent-role'];
 
     expect(store.authenticated).toBeTruthy();
-    expect(store.hasResourceRoles('app', roles)).toBeFalsy();
+    expect(store.hasResourceRoles(roles)).toBeFalsy();
   });
 
   it('identityProvider should return a string', () => {
     expect(store.identityProvider).toBeTruthy();
-    expect(typeof store.identityProvider).toBe('string');
+    expect(typeof store.identityProvider).toBe('object');
   });
 
   it('isAdmin should return false if no admin role', () => {
     store.authenticated = true;
     roles = [];
     store.keycloak.tokenParsed = {
-      resource_access: {
-        chefs: {
-          roles: roles,
-        },
-      },
+      client_roles: roles,
     };
 
     expect(store.authenticated).toBeTruthy();
@@ -135,40 +123,13 @@ describe('auth getters', () => {
     store.authenticated = true;
     roles = ['admin'];
     store.keycloak.tokenParsed = {
-      resource_access: {
-        chefs: {
-          roles: roles,
-        },
-      },
+      client_roles: roles,
     };
 
     expect(store.authenticated).toBeTruthy();
     expect(store.isAdmin).toBeTruthy();
   });
 
-  it('isUser should return false if no user role', () => {
-    store.authenticated = true;
-    roles = [];
-
-    expect(store.authenticated).toBeTruthy();
-    expect(store.isUser).toBeFalsy();
-  });
-
-  it('isUser should return true if user role', () => {
-    store.authenticated = true;
-    roles = ['user'];
-    store.keycloak.tokenParsed = {
-      resource_access: {
-        chefs: {
-          roles: roles,
-        },
-      },
-    };
-
-    expect(store.authenticated).toBeTruthy();
-    expect(store.isUser).toBeTruthy();
-  });
-
   it('ready should return a boolean', () => {
     expect(store.ready).toBeTruthy();
   });
@@ -229,7 +190,7 @@ describe('auth getters', () => {
       lastName: 'Doe',
       fullName: 'John Doe',
       email: 'e@mail.com',
-      idp: 'idir',
+      idp: {code: 'idir', display: 'IDIR', hint: 'idir'},
       public: false,
     });
   });
@@ -245,7 +206,7 @@ describe('auth getters', () => {
       lastName: '',
       fullName: '',
       email: '',
-      idp: 'public',
+      idp: { code: 'public', display: 'Public', hint: 'public' },
       public: true,
     });
   });
diff --git a/app/frontend/tests/unit/utils/permissionUtils.spec.js b/app/frontend/tests/unit/utils/permissionUtils.spec.js
index 031f2e0c8..c6e11b268 100644
--- a/app/frontend/tests/unit/utils/permissionUtils.spec.js
+++ b/app/frontend/tests/unit/utils/permissionUtils.spec.js
@@ -279,7 +279,7 @@ describe('preFlightAuth', () => {
       },
     };
     readFormOptionsSpy.mockResolvedValue({
-      data: { idpHints: [primaryIdp.code] },
+      data: { idpHints: [primaryIdp.hint] },
     });
 
     await permissionUtils.preFlightAuth({ formId: 'f' }, mockNext);
diff --git a/app/frontend/tests/unit/views/Login.spec.js b/app/frontend/tests/unit/views/Login.spec.js
index 4a16c4b1c..0c2613601 100644
--- a/app/frontend/tests/unit/views/Login.spec.js
+++ b/app/frontend/tests/unit/views/Login.spec.js
@@ -69,8 +69,8 @@ describe('Login.vue', () => {
 
     await nextTick();
 
-    Object.values(idpStore.loginIdpHints).forEach((idp) => {
-      const button = wrapper.find(`[data-test="${idp}"]`);
+    Object.values(idpStore.loginButtons).forEach((idp) => {
+      const button = wrapper.find(`[data-test="${idp.code}"]`);
       expect(button.exists()).toBeTruthy();
     });
   });
diff --git a/app/package-lock.json b/app/package-lock.json
index 39e45278c..1c9b96fe2 100644
--- a/app/package-lock.json
+++ b/app/package-lock.json
@@ -30,9 +30,9 @@
         "form-data": "^4.0.0",
         "fs-extra": "^10.1.0",
         "handlebars": "^4.7.8",
+        "jose": "^5.2.2",
         "js-yaml": "^4.1.0",
         "jsonwebtoken": "^9.0.0",
-        "keycloak-connect": "^21.1.1",
         "knex": "^2.4.2",
         "lodash": "^4.17.21",
         "mime-types": "^2.1.35",
@@ -2106,17 +2106,6 @@
       "integrity": "sha512-BSHWgDSAiKs50o2Re8ppvp3seVHXSRM44cdSsT9FfNEUUZLOGWVCsiWaRPWM1Znn+mqZ1OfVZ3z3DWEzSp7hRA==",
       "dev": true
     },
-    "node_modules/asn1.js": {
-      "version": "5.4.1",
-      "resolved": "https://registry.npmjs.org/asn1.js/-/asn1.js-5.4.1.tgz",
-      "integrity": "sha512-+I//4cYPccV8LdmBLiX8CYvf9Sp3vQsrqu2QNXRcrbiWvcx/UdlFiqUJJzxRQxgsZmvhXhn4cSKeSmoFjVdupA==",
-      "dependencies": {
-        "bn.js": "^4.0.0",
-        "inherits": "^2.0.1",
-        "minimalistic-assert": "^1.0.0",
-        "safer-buffer": "^2.1.0"
-      }
-    },
     "node_modules/astral-regex": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/astral-regex/-/astral-regex-1.0.0.tgz",
@@ -2385,11 +2374,6 @@
         "node": ">=8"
       }
     },
-    "node_modules/bn.js": {
-      "version": "4.12.0",
-      "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.12.0.tgz",
-      "integrity": "sha512-c98Bf3tPniI+scsdk237ku1Dc3ujXQTSgyiPUDEOe7tRkhrqridvh8klBv0HCEso1OLOYcHuCv/cS6DNxKH+ZA=="
-    },
     "node_modules/body-parser": {
       "version": "1.20.2",
       "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.2.tgz",
@@ -2449,11 +2433,6 @@
         "node": ">=8"
       }
     },
-    "node_modules/brorand": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/brorand/-/brorand-1.1.0.tgz",
-      "integrity": "sha512-cKV8tMCEpQs4hK/ik71d6LrPOnpkpGBR0wzxqr68g2m/LB2GxVYQroAjMJZRVM1Y4BCjCKc3vAamxSzOY2RP+w=="
-    },
     "node_modules/browserslist": {
       "version": "4.22.2",
       "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.22.2.tgz",
@@ -3180,20 +3159,6 @@
       "integrity": "sha512-/bKPPcgZVUziECqDc+0HkT87+0zhaWSZHNXqF8FLd2lQcptpmUFwoCSWjCdOng9Gdq+afKArPdEg/0ZW461Eng==",
       "dev": true
     },
-    "node_modules/elliptic": {
-      "version": "6.5.4",
-      "resolved": "https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz",
-      "integrity": "sha512-iLhC6ULemrljPZb+QutR5TQGB+pdW6KGD5RSegS+8sorOZT+rdQFbsQFJgvN3eRqNALqJer4oQ16YvJHlU8hzQ==",
-      "dependencies": {
-        "bn.js": "^4.11.9",
-        "brorand": "^1.1.0",
-        "hash.js": "^1.0.0",
-        "hmac-drbg": "^1.0.1",
-        "inherits": "^2.0.4",
-        "minimalistic-assert": "^1.0.1",
-        "minimalistic-crypto-utils": "^1.0.1"
-      }
-    },
     "node_modules/emittery": {
       "version": "0.13.1",
       "resolved": "https://registry.npmjs.org/emittery/-/emittery-0.13.1.tgz",
@@ -6604,15 +6569,6 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
-    "node_modules/hash.js": {
-      "version": "1.1.7",
-      "resolved": "https://registry.npmjs.org/hash.js/-/hash.js-1.1.7.tgz",
-      "integrity": "sha512-taOaskGt4z4SOANNseOviYDvjEJinIkRgmp7LbKP2YTTmVxWBl87s/uzK9r+44BclBSp2X7K1hqeNfz9JbBeXA==",
-      "dependencies": {
-        "inherits": "^2.0.3",
-        "minimalistic-assert": "^1.0.1"
-      }
-    },
     "node_modules/hexoid": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/hexoid/-/hexoid-1.0.0.tgz",
@@ -6622,16 +6578,6 @@
         "node": ">=8"
       }
     },
-    "node_modules/hmac-drbg": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/hmac-drbg/-/hmac-drbg-1.0.1.tgz",
-      "integrity": "sha512-Tti3gMqLdZfhOQY1Mzf/AanLiqh1WTiJgEj26ZuYQ9fbkLomzGchCws4FyrSd4VkpBfiNhaE1On+lOz894jvXg==",
-      "dependencies": {
-        "hash.js": "^1.0.3",
-        "minimalistic-assert": "^1.0.0",
-        "minimalistic-crypto-utils": "^1.0.1"
-      }
-    },
     "node_modules/html-escaper": {
       "version": "2.0.2",
       "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz",
@@ -7853,6 +7799,14 @@
         "node": ">= 0.6.0"
       }
     },
+    "node_modules/jose": {
+      "version": "5.2.2",
+      "resolved": "https://registry.npmjs.org/jose/-/jose-5.2.2.tgz",
+      "integrity": "sha512-/WByRr4jDcsKlvMd1dRJnPfS1GVO3WuKyaurJ/vvXcOaUQO8rnNObCQMlv/5uCceVQIq5Q4WLF44ohsdiTohdg==",
+      "funding": {
+        "url": "https://github.com/sponsors/panva"
+      }
+    },
     "node_modules/js-sdsl": {
       "version": "4.4.0",
       "resolved": "https://registry.npmjs.org/js-sdsl/-/js-sdsl-4.4.0.tgz",
@@ -8005,16 +7959,6 @@
         "safe-buffer": "^5.0.1"
       }
     },
-    "node_modules/jwk-to-pem": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/jwk-to-pem/-/jwk-to-pem-2.0.5.tgz",
-      "integrity": "sha512-L90jwellhO8jRKYwbssU9ifaMVqajzj3fpRjDKcsDzrslU9syRbFqfkXtT4B89HYAap+xsxNcxgBSB09ig+a7A==",
-      "dependencies": {
-        "asn1.js": "^5.3.0",
-        "elliptic": "^6.5.4",
-        "safe-buffer": "^5.0.1"
-      }
-    },
     "node_modules/jws": {
       "version": "3.2.2",
       "resolved": "https://registry.npmjs.org/jws/-/jws-3.2.2.tgz",
@@ -8024,21 +7968,6 @@
         "safe-buffer": "^5.0.1"
       }
     },
-    "node_modules/keycloak-connect": {
-      "version": "21.1.1",
-      "resolved": "https://registry.npmjs.org/keycloak-connect/-/keycloak-connect-21.1.1.tgz",
-      "integrity": "sha512-FFLhsnXjo+OmzMJpFhHcTjLHLwT18aZi1hJj/TLwXjijyHUFDBdVyD+uF7Hspcs4A4s00xwteAqkQGMlFQa6Yw==",
-      "deprecated": "This package is deprecated and will be removed in the future. We will shortly provide more details on removal date, and recommended alternatives.",
-      "dependencies": {
-        "jwk-to-pem": "^2.0.0"
-      },
-      "engines": {
-        "node": ">=14"
-      },
-      "optionalDependencies": {
-        "chromedriver": "latest"
-      }
-    },
     "node_modules/kleur": {
       "version": "3.0.3",
       "resolved": "https://registry.npmjs.org/kleur/-/kleur-3.0.3.tgz",
@@ -8475,16 +8404,6 @@
         "node": ">=6"
       }
     },
-    "node_modules/minimalistic-assert": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz",
-      "integrity": "sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A=="
-    },
-    "node_modules/minimalistic-crypto-utils": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/minimalistic-crypto-utils/-/minimalistic-crypto-utils-1.0.1.tgz",
-      "integrity": "sha512-JIYlbt6g8i5jKfJ3xz7rF0LXmv2TkDxBLUkiBeZ7bAx4GnnNMr8xFpGnOxn6GhTEHx3SjRrZEoU+j04prX1ktg=="
-    },
     "node_modules/minimatch": {
       "version": "3.1.2",
       "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
@@ -12783,17 +12702,6 @@
       "integrity": "sha512-BSHWgDSAiKs50o2Re8ppvp3seVHXSRM44cdSsT9FfNEUUZLOGWVCsiWaRPWM1Znn+mqZ1OfVZ3z3DWEzSp7hRA==",
       "dev": true
     },
-    "asn1.js": {
-      "version": "5.4.1",
-      "resolved": "https://registry.npmjs.org/asn1.js/-/asn1.js-5.4.1.tgz",
-      "integrity": "sha512-+I//4cYPccV8LdmBLiX8CYvf9Sp3vQsrqu2QNXRcrbiWvcx/UdlFiqUJJzxRQxgsZmvhXhn4cSKeSmoFjVdupA==",
-      "requires": {
-        "bn.js": "^4.0.0",
-        "inherits": "^2.0.1",
-        "minimalistic-assert": "^1.0.0",
-        "safer-buffer": "^2.1.0"
-      }
-    },
     "astral-regex": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/astral-regex/-/astral-regex-1.0.0.tgz",
@@ -12996,11 +12904,6 @@
       "integrity": "sha512-jDctJ/IVQbZoJykoeHbhXpOlNBqGNcwXJKJog42E5HDPUwQTSdjCHdihjj0DlnheQ7blbT6dHOafNAiS8ooQKA==",
       "dev": true
     },
-    "bn.js": {
-      "version": "4.12.0",
-      "resolved": "https://registry.npmjs.org/bn.js/-/bn.js-4.12.0.tgz",
-      "integrity": "sha512-c98Bf3tPniI+scsdk237ku1Dc3ujXQTSgyiPUDEOe7tRkhrqridvh8klBv0HCEso1OLOYcHuCv/cS6DNxKH+ZA=="
-    },
     "body-parser": {
       "version": "1.20.2",
       "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.2.tgz",
@@ -13049,11 +12952,6 @@
         "fill-range": "^7.0.1"
       }
     },
-    "brorand": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/brorand/-/brorand-1.1.0.tgz",
-      "integrity": "sha512-cKV8tMCEpQs4hK/ik71d6LrPOnpkpGBR0wzxqr68g2m/LB2GxVYQroAjMJZRVM1Y4BCjCKc3vAamxSzOY2RP+w=="
-    },
     "browserslist": {
       "version": "4.22.2",
       "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.22.2.tgz",
@@ -13598,20 +13496,6 @@
       "integrity": "sha512-/bKPPcgZVUziECqDc+0HkT87+0zhaWSZHNXqF8FLd2lQcptpmUFwoCSWjCdOng9Gdq+afKArPdEg/0ZW461Eng==",
       "dev": true
     },
-    "elliptic": {
-      "version": "6.5.4",
-      "resolved": "https://registry.npmjs.org/elliptic/-/elliptic-6.5.4.tgz",
-      "integrity": "sha512-iLhC6ULemrljPZb+QutR5TQGB+pdW6KGD5RSegS+8sorOZT+rdQFbsQFJgvN3eRqNALqJer4oQ16YvJHlU8hzQ==",
-      "requires": {
-        "bn.js": "^4.11.9",
-        "brorand": "^1.1.0",
-        "hash.js": "^1.0.0",
-        "hmac-drbg": "^1.0.1",
-        "inherits": "^2.0.4",
-        "minimalistic-assert": "^1.0.1",
-        "minimalistic-crypto-utils": "^1.0.1"
-      }
-    },
     "emittery": {
       "version": "0.13.1",
       "resolved": "https://registry.npmjs.org/emittery/-/emittery-0.13.1.tgz",
@@ -16183,31 +16067,12 @@
         "has-symbols": "^1.0.2"
       }
     },
-    "hash.js": {
-      "version": "1.1.7",
-      "resolved": "https://registry.npmjs.org/hash.js/-/hash.js-1.1.7.tgz",
-      "integrity": "sha512-taOaskGt4z4SOANNseOviYDvjEJinIkRgmp7LbKP2YTTmVxWBl87s/uzK9r+44BclBSp2X7K1hqeNfz9JbBeXA==",
-      "requires": {
-        "inherits": "^2.0.3",
-        "minimalistic-assert": "^1.0.1"
-      }
-    },
     "hexoid": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/hexoid/-/hexoid-1.0.0.tgz",
       "integrity": "sha512-QFLV0taWQOZtvIRIAdBChesmogZrtuXvVWsFHZTk2SU+anspqZ2vMnoLg7IE1+Uk16N19APic1BuF8bC8c2m5g==",
       "dev": true
     },
-    "hmac-drbg": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/hmac-drbg/-/hmac-drbg-1.0.1.tgz",
-      "integrity": "sha512-Tti3gMqLdZfhOQY1Mzf/AanLiqh1WTiJgEj26ZuYQ9fbkLomzGchCws4FyrSd4VkpBfiNhaE1On+lOz894jvXg==",
-      "requires": {
-        "hash.js": "^1.0.3",
-        "minimalistic-assert": "^1.0.0",
-        "minimalistic-crypto-utils": "^1.0.1"
-      }
-    },
     "html-escaper": {
       "version": "2.0.2",
       "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz",
@@ -17109,6 +16974,11 @@
       "resolved": "https://registry.npmjs.org/jmespath/-/jmespath-0.16.0.tgz",
       "integrity": "sha512-9FzQjJ7MATs1tSpnco1K6ayiYE3figslrXA72G2HQ/n76RzvYlofyi5QM+iX4YRs/pu3yzxlVQSST23+dMDknw=="
     },
+    "jose": {
+      "version": "5.2.2",
+      "resolved": "https://registry.npmjs.org/jose/-/jose-5.2.2.tgz",
+      "integrity": "sha512-/WByRr4jDcsKlvMd1dRJnPfS1GVO3WuKyaurJ/vvXcOaUQO8rnNObCQMlv/5uCceVQIq5Q4WLF44ohsdiTohdg=="
+    },
     "js-sdsl": {
       "version": "4.4.0",
       "resolved": "https://registry.npmjs.org/js-sdsl/-/js-sdsl-4.4.0.tgz",
@@ -17226,16 +17096,6 @@
         "safe-buffer": "^5.0.1"
       }
     },
-    "jwk-to-pem": {
-      "version": "2.0.5",
-      "resolved": "https://registry.npmjs.org/jwk-to-pem/-/jwk-to-pem-2.0.5.tgz",
-      "integrity": "sha512-L90jwellhO8jRKYwbssU9ifaMVqajzj3fpRjDKcsDzrslU9syRbFqfkXtT4B89HYAap+xsxNcxgBSB09ig+a7A==",
-      "requires": {
-        "asn1.js": "^5.3.0",
-        "elliptic": "^6.5.4",
-        "safe-buffer": "^5.0.1"
-      }
-    },
     "jws": {
       "version": "3.2.2",
       "resolved": "https://registry.npmjs.org/jws/-/jws-3.2.2.tgz",
@@ -17245,15 +17105,6 @@
         "safe-buffer": "^5.0.1"
       }
     },
-    "keycloak-connect": {
-      "version": "21.1.1",
-      "resolved": "https://registry.npmjs.org/keycloak-connect/-/keycloak-connect-21.1.1.tgz",
-      "integrity": "sha512-FFLhsnXjo+OmzMJpFhHcTjLHLwT18aZi1hJj/TLwXjijyHUFDBdVyD+uF7Hspcs4A4s00xwteAqkQGMlFQa6Yw==",
-      "requires": {
-        "chromedriver": "latest",
-        "jwk-to-pem": "^2.0.0"
-      }
-    },
     "kleur": {
       "version": "3.0.3",
       "resolved": "https://registry.npmjs.org/kleur/-/kleur-3.0.3.tgz",
@@ -17570,16 +17421,6 @@
       "integrity": "sha512-OqbOk5oEQeAZ8WXWydlu9HJjz9WVdEIvamMCcXmuqUYjTknH/sqsWvhQ3vgwKFRR1HpjvNBKQ37nbJgYzGqGcg==",
       "dev": true
     },
-    "minimalistic-assert": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz",
-      "integrity": "sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A=="
-    },
-    "minimalistic-crypto-utils": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/minimalistic-crypto-utils/-/minimalistic-crypto-utils-1.0.1.tgz",
-      "integrity": "sha512-JIYlbt6g8i5jKfJ3xz7rF0LXmv2TkDxBLUkiBeZ7bAx4GnnNMr8xFpGnOxn6GhTEHx3SjRrZEoU+j04prX1ktg=="
-    },
     "minimatch": {
       "version": "3.1.2",
       "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
diff --git a/app/package.json b/app/package.json
index 7bbebb39d..7ed116882 100644
--- a/app/package.json
+++ b/app/package.json
@@ -68,9 +68,9 @@
     "form-data": "^4.0.0",
     "fs-extra": "^10.1.0",
     "handlebars": "^4.7.8",
+    "jose": "^5.2.2",
     "js-yaml": "^4.1.0",
     "jsonwebtoken": "^9.0.0",
-    "keycloak-connect": "^21.1.1",
     "knex": "^2.4.2",
     "lodash": "^4.17.21",
     "mime-types": "^2.1.35",
diff --git a/app/src/components/idpService.js b/app/src/components/idpService.js
new file mode 100644
index 000000000..a002869fa
--- /dev/null
+++ b/app/src/components/idpService.js
@@ -0,0 +1,169 @@
+const errorToProblem = require('./errorToProblem');
+const { IdentityProvider, User } = require('../forms/common/models');
+
+const SERVICE = 'IdpService';
+
+const IDP_KEY = 'identity_provider';
+const KC_ID_KEY = 'keycloakId';
+
+function stringToGUID(s) {
+  const regex = /^([0-f]{8})([0-f]{4})([0-f]{4})([0-f]{4})([0-f]{12})/;
+  const m = s.replace(/-+/g, '').match(regex);
+  return m ? `${m[1]}-${m[2]}-${m[3]}-${m[4]}-${m[5]}` : null;
+}
+
+function isEmpty(s) {
+  return s === null || (s && s.trim() === '');
+}
+
+function isNotEmpty(s) {
+  return !isEmpty(s);
+}
+
+class IdpService {
+  constructor() {
+    this.providers = null;
+    this.activeProviders = null;
+  }
+
+  // this should be called by the UX on load, so it should be initialized
+  async getIdentityProviders(active) {
+    if (!this.providers) {
+      this.providers = await IdentityProvider.query().modify('orderDefault');
+      this.activeProviders = this.providers.filter((x) => x.active);
+    }
+    return active ? this.activeProviders : this.providers;
+  }
+
+  async findByIdp(idp) {
+    const p = await this.getIdentityProviders(true);
+    return p.find((x) => x.idp === idp);
+  }
+
+  async findByCode(code) {
+    const p = await this.getIdentityProviders(true);
+    return p.find((x) => x.code === code);
+  }
+
+  // given a token, determine idp and transform
+  async parseToken(token) {
+    try {
+      let userInfo = {
+        idpUserId: undefined,
+        keycloakId: undefined,
+        username: 'public',
+        firstName: undefined,
+        lastName: undefined,
+        fullName: 'public',
+        email: undefined,
+        idp: 'public',
+        public: true,
+      };
+      if (token) {
+        // token needs `identity_provider` field
+        if (IDP_KEY in token) {
+          // can we find the idp?
+          const idp = await this.findByIdp(token[IDP_KEY]);
+          if (idp) {
+            // now do the mapping...
+            for (const key of Object.keys(userInfo)) {
+              const tokenKey = idp.tokenmap[key];
+              if (tokenKey) {
+                let tokenValue = token[tokenKey];
+                if (key === KC_ID_KEY) {
+                  tokenValue = stringToGUID(token[tokenKey]);
+                  if (!tokenValue) {
+                    throw new Error(`Value in token for '${tokenKey}' cannot be converted to GUID.`);
+                  }
+                }
+                userInfo[key] = tokenValue;
+              }
+            }
+            userInfo.public = false;
+          } else {
+            throw new Error(`Cannot find configuration for Identity Provider: '${token[IDP_KEY]}'.`);
+          }
+        } else {
+          throw new Error(`Token does not have an '${IDP_KEY}' value. Cannot parse token.`);
+        }
+      }
+      return userInfo;
+    } catch (e) {
+      errorToProblem(SERVICE, e);
+    }
+  }
+
+  async userSearch(params) {
+    // check the idpCode, set up User query accordingly.
+    if (params && params.idpCode) {
+      const idp = await this.findByCode(params.idpCode);
+      if (idp && idp.extra?.userSearch) {
+        // ok, this idp has specific requirements of user search...
+        const q = User.query();
+
+        // find all the different groupings for required.
+        //   0 : not required
+        //   1 : required
+        // > 1 : params are grouped by number, one of each group is required.
+
+        const requiredTypes = Array.from(new Set(idp.extra.userSearch.filters.map((x) => x.required)));
+        let valid = false;
+        for (const reqd of requiredTypes) {
+          const filters = idp.extra.userSearch.filters.filter((x) => x.required === reqd);
+          let groupValid = reqd === 1 ? true : false;
+          for (const f of filters) {
+            // add the filter to the query...
+            const filterName = f.name;
+            const paramName = f.param;
+            const value = params[paramName];
+            if ('exact' in f) {
+              const exact = f.exact;
+              q.modify(filterName, value, exact);
+            } else {
+              q.modify(filterName, value);
+            }
+
+            //
+            // ok, check for required...
+            //
+            if (reqd < 1) {
+              // if required < 1, do nothing, always valid
+              groupValid = true;
+            } else if (reqd === 1 && isEmpty(value)) {
+              // if required = 1, all filters in this group are required.
+              groupValid = false;
+            } else {
+              // only one of the filters in this group is required.
+              if (isNotEmpty(value)) {
+                groupValid = true;
+              }
+            }
+          }
+          valid = groupValid ? true : false;
+        }
+        // ok, if not valid then we want to throw an error
+        if (!valid) {
+          throw new Error(idp.extra.userSearch.detail);
+        }
+        // guess we are good, return the customized user search.
+        return q.modify('orderLastFirstAscending');
+      }
+    }
+
+    // ok, no error thown, no specific search requirements...
+    // so here is the default user search.
+    return User.query()
+      .modify('filterIdpUserId', params.idpUserId)
+      .modify('filterIdpCode', params.idpCode)
+      .modify('filterUsername', params.username, false)
+      .modify('filterFullName', params.fullName)
+      .modify('filterFirstName', params.firstName)
+      .modify('filterLastName', params.lastName)
+      .modify('filterEmail', params.email, false)
+      .modify('filterSearch', params.search)
+      .modify('orderLastFirstAscending');
+  }
+}
+
+let idpService = new IdpService();
+module.exports = idpService;
diff --git a/app/src/components/jwtService.js b/app/src/components/jwtService.js
new file mode 100644
index 000000000..53637c0af
--- /dev/null
+++ b/app/src/components/jwtService.js
@@ -0,0 +1,100 @@
+const jose = require('jose');
+const config = require('config');
+const errorToProblem = require('./errorToProblem');
+
+const SERVICE = 'JwtService';
+
+const jwksUri = config.get('server.keycloak.jwksUri');
+
+// Create a remote JWK set that fetches the JWK set from server with caching
+const JWKS = jose.createRemoteJWKSet(new URL(jwksUri));
+
+class JwtService {
+  constructor({ issuer, audience, maxTokenAge }) {
+    if (!issuer || !audience || !maxTokenAge) {
+      throw new Error('JwtService is not configured. Check configuration.');
+    }
+
+    this.audience = audience;
+    this.issuer = issuer;
+    this.maxTokenAge = maxTokenAge;
+  }
+
+  getBearerToken(req) {
+    if (req.headers && req.headers.authorization && req.headers.authorization.startsWith('Bearer ')) {
+      return req.headers.authorization.substring(7);
+    }
+    // do we want to throw errors?
+    return null;
+  }
+
+  async getTokenPayload(req) {
+    const bear = this.getBearerToken(req);
+    if (bear) {
+      return await this._verify(bear);
+    }
+    return null;
+  }
+
+  async _verify(token) {
+    // could throw JWTClaimValidationFailed
+    const { payload } = await jose.jwtVerify(token, JWKS, {
+      issuer: this.issuer,
+      audience: this.audience,
+      maxTokenAge: parseInt(this.maxTokenAge),
+    });
+    return payload;
+  }
+
+  async validateAccessToken(token) {
+    try {
+      await this._verify(token);
+      // these claims passed, just return true.
+      return true;
+    } catch (e) {
+      if (e instanceof jose.errors.JWTClaimValidationFailed) {
+        return false;
+      } else {
+        errorToProblem(SERVICE, e);
+      }
+    }
+  }
+
+  protect(spec) {
+    // actual middleware
+    return async (req, res, next) => {
+      let authorized = false;
+      try {
+        // get token, check if valid
+        const token = this.getBearerToken(req);
+        if (token) {
+          const payload = await this._verify(token);
+          if (spec) {
+            authorized = payload.client_roles?.includes(spec);
+          } else {
+            authorized = true;
+          }
+        }
+      } catch (error) {
+        authorized = false;
+      }
+      if (!authorized) {
+        res.status(403);
+        res.end('Access denied');
+      } else {
+        return next();
+      }
+    };
+  }
+}
+
+const audience = config.get('server.keycloak.audience');
+const issuer = config.get('server.keycloak.issuer');
+const maxTokenAge = config.get('server.keycloak.maxTokenAge');
+
+let jwtService = new JwtService({
+  issuer: issuer,
+  audience: audience,
+  maxTokenAge: maxTokenAge,
+});
+module.exports = jwtService;
diff --git a/app/src/components/keycloak.js b/app/src/components/keycloak.js
deleted file mode 100755
index 3781b3354..000000000
--- a/app/src/components/keycloak.js
+++ /dev/null
@@ -1,19 +0,0 @@
-const config = require('config');
-const Keycloak = require('keycloak-connect');
-
-module.exports = new Keycloak(
-  {},
-  {
-    bearerOnly: true,
-    'confidential-port': 0,
-    clientId: config.get('server.keycloak.clientId'),
-    'policy-enforcer': {},
-    realm: config.get('server.keycloak.realm'),
-    realmPublicKey: config.has('server.keycloak.publicKey') ? config.get('server.keycloak.publicKey') : undefined,
-    secret: config.get('server.keycloak.clientSecret'),
-    serverUrl: config.get('server.keycloak.serverUrl'),
-    'ssl-required': 'external',
-    'use-resource-role-mappings': true,
-    'verify-token-audience': false,
-  }
-);
diff --git a/app/src/db/migrations/20240119172630_identity_provider_permissions.js b/app/src/db/migrations/20240119172630_identity_provider_permissions.js
index f7aef6bd0..490379cee 100644
--- a/app/src/db/migrations/20240119172630_identity_provider_permissions.js
+++ b/app/src/db/migrations/20240119172630_identity_provider_permissions.js
@@ -12,6 +12,19 @@ const BCEID_EXTRAS = {
       message: 'trans.manageSubmissionUsers.exactBCEIDSearch',
     },
   },
+  userSearch: {
+    filters: [ 
+      { name: 'filterIdpUserId', param: 'idpUserId', required: 0 }, 
+      { name: 'filterIdpCode', param: 'idpCode', required: 0 }, 
+      { name: 'filterUsername', param: 'username', required: 2, exact: true }, 
+      { name: 'filterFullName', param: 'fullName', required: 0 }, 
+      { name: 'filterFirstName', param: 'firstName', required: 0 }, 
+      { name: 'filterLastName', param: 'lastName', required: 0 }, 
+      { name: 'filterEmail', param: 'email', required: 2, exact: true }, 
+      { name: 'filterSearch', param: 'search', required: 0 }, 
+    ],
+    detail: 'Could not retrieve BCeID users. Invalid options provided.'
+  }
 };
 
 exports.up = function (knex) {
@@ -30,6 +43,9 @@ exports.up = function (knex) {
         table
           .specificType('roles', 'text ARRAY')
           .comment('Map Form role codes to the idp');
+        table
+          .jsonb('tokenmap')
+          .comment('Map of token fields to CHEFs user fields');
         table
           .jsonb('extra')
           .comment(
@@ -70,6 +86,16 @@ exports.up = function (knex) {
               Roles.SUBMISSION_REVIEWER,
               Roles.FORM_SUBMITTER,
             ],
+            tokenmap: {
+              idpUserId: 'idir_user_guid',
+              keycloakId: 'idir_user_guid',
+              username: 'idir_username',
+              firstName: 'given_name',
+              lastName: 'family_name',
+              fullName: 'name',
+              email: 'email',
+              idp: 'identity_provider',
+            },
             extra: {},
           })
       )
@@ -77,6 +103,7 @@ exports.up = function (knex) {
         knex('identity_provider')
           .where({ code: 'bceid-business' })
           .update({
+            idp: 'bceidbusiness',
             login: true,
             permissions: [
               APP_PERMISSIONS.VIEWS_FORM_EXPORT,
@@ -91,6 +118,16 @@ exports.up = function (knex) {
               Roles.SUBMISSION_REVIEWER,
               Roles.FORM_SUBMITTER,
             ],
+            tokenmap: {
+              idpUserId: 'bceid_user_guid',
+              keycloakId: 'bceid_user_guid',
+              username: 'bceid_username',
+              firstName: null,
+              lastName: null,
+              fullName: 'name',
+              email: 'email',
+              idp: 'identity_provider',
+            },
             extra: BCEID_EXTRAS,
           })
       )
@@ -98,9 +135,20 @@ exports.up = function (knex) {
         knex('identity_provider')
           .where({ code: 'bceid-basic' })
           .update({
+            idp: 'bceidbasic',
             login: true,
             permissions: [APP_PERMISSIONS.VIEWS_USER_SUBMISSIONS],
             roles: [Roles.FORM_SUBMITTER],
+            tokenmap: {
+              idpUserId: 'bceid_user_guid',
+              keycloakId: 'bceid_user_guid',
+              username: 'bceid_username',
+              firstName: null,
+              lastName: null,
+              fullName: 'name',
+              email: 'email',
+              idp: 'identity_provider',
+            },
             extra: BCEID_EXTRAS,
           })
       )
diff --git a/app/src/forms/admin/routes.js b/app/src/forms/admin/routes.js
index 735a7f5b8..47766a7e8 100644
--- a/app/src/forms/admin/routes.js
+++ b/app/src/forms/admin/routes.js
@@ -1,14 +1,13 @@
-const config = require('config');
 const routes = require('express').Router();
 
 const currentUser = require('../auth/middleware/userAccess').currentUser;
 
 const controller = require('./controller');
 const userController = require('../user/controller');
-const keycloak = require('../../components/keycloak');
+const jwtService = require('../../components/jwtService');
 
 // Always have this applied to all routes here
-routes.use(keycloak.protect(`${config.get('server.keycloak.clientId')}:admin`));
+routes.use(jwtService.protect('admin'));
 routes.use(currentUser);
 
 // Routes under the /admin pathing will fetch data without doing Form permission checks in the database
diff --git a/app/src/forms/auth/middleware/userAccess.js b/app/src/forms/auth/middleware/userAccess.js
index 1f622cdbb..26b7b5f8e 100644
--- a/app/src/forms/auth/middleware/userAccess.js
+++ b/app/src/forms/auth/middleware/userAccess.js
@@ -1,23 +1,15 @@
 const Problem = require('api-problem');
 const { validate } = require('uuid');
 
-const keycloak = require('../../../components/keycloak');
+const jwtService = require('../../../components/jwtService');
 const Permissions = require('../../common/constants').Permissions;
 const Roles = require('../../common/constants').Roles;
 const service = require('../service');
 const rbacService = require('../../rbac/service');
 
-const getToken = (req) => {
-  try {
-    return req.kauth.grant.access_token;
-  } catch (err) {
-    return null;
-  }
-};
-
 const setUser = async (req, _res, next) => {
   try {
-    const token = getToken(req);
+    const token = await jwtService.getTokenPayload(req);
     req.currentUser = await service.login(token);
     next();
   } catch (error) {
@@ -27,12 +19,13 @@ const setUser = async (req, _res, next) => {
 
 const currentUser = async (req, res, next) => {
   // Check if authorization header is a bearer token
-  if (req.headers && req.headers.authorization && req.headers.authorization.startsWith('Bearer ')) {
-    // need to check keycloak, ensure the bearer token is valid
-    const token = req.headers.authorization.substring(7);
-    const ok = await keycloak.grantManager.validateAccessToken(token);
+  const token = jwtService.getBearerToken(req);
+  if (token) {
+    const ok = await jwtService.validateAccessToken(token);
     if (!ok) {
-      return new Problem(403, { detail: 'Authorization token is invalid.' }).send(res);
+      return new Problem(403, {
+        detail: 'Authorization token is invalid.',
+      }).send(res);
     }
   }
 
@@ -40,11 +33,17 @@ const currentUser = async (req, res, next) => {
 };
 
 const _getForm = async (currentUser, formId) => {
-  const forms = await service.getUserForms(currentUser, { active: true, formId: formId });
+  const forms = await service.getUserForms(currentUser, {
+    active: true,
+    formId: formId,
+  });
   let form = forms.find((f) => f.formId === formId);
 
   if (!form) {
-    const deletedForms = await service.getUserForms(currentUser, { active: false, formId: formId });
+    const deletedForms = await service.getUserForms(currentUser, {
+      active: false,
+      formId: formId,
+    });
     form = deletedForms.find((f) => f.formId === formId);
   }
 
@@ -60,7 +59,9 @@ const hasFormPermissions = (permissions) => {
 
     if (!req.currentUser) {
       // cannot find the currentUser... guess we don't have access... FAIL!
-      return new Problem(401, { detail: 'Current user not found on request.' }).send(res);
+      return new Problem(401, {
+        detail: 'Current user not found on request.',
+      }).send(res);
     }
     // If we invoke this middleware and the caller is acting on a specific formId, whether in a param or query (precedence to param)
     const formId = req.params.formId || req.query.formId;
@@ -71,7 +72,9 @@ const hasFormPermissions = (permissions) => {
     let form = await _getForm(req.currentUser, formId);
     if (!form) {
       // cannot find the form... guess we don't have access... FAIL!
-      return new Problem(401, { detail: 'Current user has no access to form.' }).send(res);
+      return new Problem(401, {
+        detail: 'Current user has no access to form.',
+      }).send(res);
     }
 
     if (!Array.isArray(permissions)) {
@@ -83,7 +86,9 @@ const hasFormPermissions = (permissions) => {
     });
 
     if (intersection.length !== permissions.length) {
-      return new Problem(401, { detail: 'Current user does not have required permission(s) on form' }).send(res);
+      return new Problem(401, {
+        detail: 'Current user does not have required permission(s) on form',
+      }).send(res);
     } else {
       return next();
     }
@@ -114,7 +119,10 @@ const hasSubmissionPermissions = (permissions) => {
 
       // Does the user have permissions for this submission due to their FORM permissions
       if (req.currentUser) {
-        const forms = await service.getUserForms(req.currentUser, { active: true, formId: submissionForm.form.id });
+        const forms = await service.getUserForms(req.currentUser, {
+          active: true,
+          formId: submissionForm.form.id,
+        });
         let formFromCurrentUser = forms.find((f) => f.formId === submissionForm.form.id);
         if (formFromCurrentUser) {
           // Do they have the submission permissions being requested on this FORM
@@ -130,7 +138,11 @@ const hasSubmissionPermissions = (permissions) => {
 
       // Deleted submissions are inaccessible
       if (submissionForm.submission.deleted) {
-        return next(new Problem(401, { detail: 'You do not have access to this submission.' }));
+        return next(
+          new Problem(401, {
+            detail: 'You do not have access to this submission.',
+          })
+        );
       }
 
       // TODO: consider whether DRAFT submissions are restricted as deleted above
@@ -146,7 +158,11 @@ const hasSubmissionPermissions = (permissions) => {
       if (submissionPermission) return next();
 
       // no access to this submission...
-      return next(new Problem(401, { detail: 'You do not have access to this submission.' }));
+      return next(
+        new Problem(401, {
+          detail: 'You do not have access to this submission.',
+        })
+      );
     } catch (error) {
       next(error);
     }
@@ -180,7 +196,11 @@ const filterMultipleSubmissions = () => {
       //validate all submission ids
       const isValidSubmissionId = submissionIds.every((submissionId) => validate(submissionId));
       if (!isValidSubmissionId) {
-        return next(new Problem(401, { detail: 'Invalid submissionId(s) in the submissionIds list.' }));
+        return next(
+          new Problem(401, {
+            detail: 'Invalid submissionId(s) in the submissionIds list.',
+          })
+        );
       }
 
       if (formIdWithDeletePermission === formId) {
@@ -189,11 +209,19 @@ const filterMultipleSubmissions = () => {
 
         const isForeignSubmissionId = metaData.every((SubmissionMetadata) => SubmissionMetadata.formId === formId);
         if (!isForeignSubmissionId || metaData.length !== submissionIds.length) {
-          return next(new Problem(401, { detail: 'Current user does not have required permission(s) for some submissions in the submissionIds list.' }));
+          return next(
+            new Problem(401, {
+              detail: 'Current user does not have required permission(s) for some submissions in the submissionIds list.',
+            })
+          );
         }
         return next();
       }
-      return next(new Problem(401, { detail: 'Current user does not have required permission(s) for to delete submissions' }));
+      return next(
+        new Problem(401, {
+          detail: 'Current user does not have required permission(s) for to delete submissions',
+        })
+      );
     } catch (error) {
       next(error);
     }
@@ -203,7 +231,10 @@ const filterMultipleSubmissions = () => {
 const hasFormRole = async (formId, user, role) => {
   let hasRole = false;
 
-  const forms = await service.getUserForms(user, { active: true, formId: formId });
+  const forms = await service.getUserForms(user, {
+    active: true,
+    formId: formId,
+  });
   const form = forms.find((f) => f.formId === formId);
 
   if (form) {
@@ -227,7 +258,10 @@ const hasFormRoles = (formRoles, hasAll = false) => {
       return new Problem(401, { detail: 'Form Id not found on request.' }).send(res);
     }
 
-    const forms = await service.getUserForms(req.currentUser, { active: true, formId: formId });
+    const forms = await service.getUserForms(req.currentUser, {
+      active: true,
+      formId: formId,
+    });
     const form = forms.find((f) => f.formId === formId);
     if (form) {
       for (let roleIndex = 0; roleIndex < form.roles.length; roleIndex++) {
@@ -247,10 +281,19 @@ const hasFormRoles = (formRoles, hasAll = false) => {
     }
 
     if (hasAll) {
-      if (formRoles.length > 0) return next(new Problem(401, { detail: 'You do not have permission to update this role.' }));
+      if (formRoles.length > 0)
+        return next(
+          new Problem(401, {
+            detail: 'You do not have permission to update this role.',
+          })
+        );
       else return next();
     }
-    return next(new Problem(401, { detail: 'You do not have permission to update this role.' }));
+    return next(
+      new Problem(401, {
+        detail: 'You do not have permission to update this role.',
+      })
+    );
   };
 };
 
@@ -261,7 +304,9 @@ const hasRolePermissions = (removingUsers = false) => {
       const formId = req.params.formId || req.query.formId;
       if (!formId) {
         // No form provided to this route that secures based on form... that's a problem!
-        return new Problem(401, { detail: 'Form Id not found on request.' }).send(res);
+        return new Problem(401, {
+          detail: 'Form Id not found on request.',
+        }).send(res);
       }
 
       const currentUser = req.currentUser;
@@ -270,7 +315,12 @@ const hasRolePermissions = (removingUsers = false) => {
       const isOwner = await hasFormRole(formId, currentUser, Roles.OWNER);
 
       if (removingUsers) {
-        if (data.includes(currentUser.id)) return next(new Problem(401, { detail: "You can't remove yourself from this form." }));
+        if (data.includes(currentUser.id))
+          return next(
+            new Problem(401, {
+              detail: "You can't remove yourself from this form.",
+            })
+          );
 
         if (!isOwner) {
           for (let i = 0; i < data.length; i++) {
@@ -280,12 +330,20 @@ const hasRolePermissions = (removingUsers = false) => {
 
             // Can't update another user's roles if they are an owner
             if (userRoles.some((fru) => fru.role === Roles.OWNER) && userId !== currentUser.id) {
-              return next(new Problem(401, { detail: "You can not update an owner's roles." }));
+              return next(
+                new Problem(401, {
+                  detail: "You can not update an owner's roles.",
+                })
+              );
             }
 
             // If the user is trying to remove the designer role
             if (userRoles.some((fru) => fru.role === Roles.FORM_DESIGNER)) {
-              return next(new Problem(401, { detail: "You can't remove a form designer role." }));
+              return next(
+                new Problem(401, {
+                  detail: "You can't remove a form designer role.",
+                })
+              );
             }
           }
         }
@@ -300,7 +358,11 @@ const hasRolePermissions = (removingUsers = false) => {
 
           // If the user is trying to remove the team manager role for their own userid
           if (userRoles.some((fru) => fru.role === Roles.TEAM_MANAGER) && !data.some((role) => role.role === Roles.TEAM_MANAGER) && userId == currentUser.id) {
-            return next(new Problem(401, { detail: "You can't remove your own team manager role." }));
+            return next(
+              new Problem(401, {
+                detail: "You can't remove your own team manager role.",
+              })
+            );
           }
 
           // Can't update another user's roles if they are an owner
@@ -313,10 +375,18 @@ const hasRolePermissions = (removingUsers = false) => {
 
           // If the user is trying to remove the designer role for another userid
           if (userRoles.some((fru) => fru.role === Roles.FORM_DESIGNER) && !data.some((role) => role.role === Roles.FORM_DESIGNER)) {
-            return next(new Problem(401, { detail: "You can't remove a form designer role." }));
+            return next(
+              new Problem(401, {
+                detail: "You can't remove a form designer role.",
+              })
+            );
           }
           if (!userRoles.some((fru) => fru.role === Roles.FORM_DESIGNER) && data.some((role) => role.role === Roles.FORM_DESIGNER)) {
-            return next(new Problem(401, { detail: "You can't add a form designer role." }));
+            return next(
+              new Problem(401, {
+                detail: "You can't add a form designer role.",
+              })
+            );
           }
         }
       }
diff --git a/app/src/forms/auth/service.js b/app/src/forms/auth/service.js
index df212e6fe..e7c98ddb4 100644
--- a/app/src/forms/auth/service.js
+++ b/app/src/forms/auth/service.js
@@ -3,6 +3,8 @@ const { v4: uuidv4 } = require('uuid');
 const { Form, FormSubmissionUserPermissions, PublicFormAccess, SubmissionMetadata, User, UserFormAccess } = require('../common/models');
 const { queryUtils } = require('../common/utils');
 
+const idpService = require('../../components/idpService');
+
 const FORM_SUBMITTER = require('../common/constants').Permissions.FORM_SUBMITTER;
 
 const service = {
@@ -63,48 +65,6 @@ const service = {
     }
   },
 
-  parseToken: (token) => {
-    try {
-      // identity_provider_* will be undefined if user login is to local keycloak (userid/password)
-      const {
-        idp_userid: idpUserId,
-        idp_username: identity,
-        identity_provider: idp,
-        preferred_username: username,
-        given_name: firstName,
-        family_name: lastName,
-        sub: keycloakId,
-        name: fullName,
-        email,
-      } = token.content;
-
-      return {
-        idpUserId: idpUserId,
-        keycloakId: keycloakId,
-        username: identity ? identity : username,
-        firstName: firstName,
-        lastName: lastName,
-        fullName: fullName,
-        email: email,
-        idp: idp ? idp : '',
-        public: false,
-      };
-    } catch (e) {
-      // any issues parsing the token, or if token doesn't exist, return a default "public" user
-      return {
-        idpUserId: undefined,
-        keycloakId: undefined,
-        username: 'public',
-        firstName: undefined,
-        lastName: undefined,
-        fullName: 'public',
-        email: undefined,
-        idp: 'public',
-        public: true,
-      };
-    }
-  },
-
   getUserId: async (userInfo) => {
     if (userInfo.public) {
       return { id: 'public', ...userInfo };
@@ -124,7 +84,11 @@ const service = {
     }
 
     // return with the db id...
-    return { id: user.id, usernameIdp: user.idpCode ? `${user.username}@${user.idpCode}` : user.username, ...userInfo };
+    return {
+      id: user.id,
+      usernameIdp: user.idpCode ? `${user.username}@${user.idpCode}` : user.username,
+      ...userInfo,
+    };
   },
 
   getUserForms: async (userInfo, params = {}) => {
@@ -147,7 +111,6 @@ const service = {
     // we need to filter out the true access level here.
     // so we need a role, or a valid idp from login, or form needs to be public.
     let forms = [];
-
     let filtered = items.filter((x) => {
       // include if user has idp, or form is public, or user has an explicit role.
       if (x.idps.includes(userInfo.idp) || x.idps.includes('public')) {
@@ -202,10 +165,12 @@ const service = {
   },
 
   login: async (token) => {
-    const userInfo = service.parseToken(token);
+    const userInfo = await idpService.parseToken(token);
+    const idp = await idpService.findByIdp(userInfo.idp);
+    userInfo.idp = idp.code;
     const user = await service.getUserId(userInfo);
 
-    return { ...user };
+    return { ...user, idpHint: idp.idp };
   },
 
   // -------------------------------------------------------------------------------------------------------------
diff --git a/app/src/forms/common/constants.js b/app/src/forms/common/constants.js
index 672fc5b44..2535334bd 100644
--- a/app/src/forms/common/constants.js
+++ b/app/src/forms/common/constants.js
@@ -68,22 +68,11 @@ module.exports = Object.freeze({
     OBJECT_STORAGE: 'objectStorage',
     LOCAL_STORES: ['uploads', 'localStorage', 'exports'],
   },
-  Restricted: {
-    IDP: {
-      BCEID_BASIC: 'bceid-basic',
-      BCEID_BUSINESS: 'bceid-business',
-    },
-  },
   ScheduleType: {
     MANUAL: 'manual',
     CLOSINGDATE: 'closingDate',
     PERIOD: 'period',
   },
-  IdentityProviders: {
-    BCEIDBASIC: 'bceid-basic', // Basic BCeID
-    BCEIDBUSINESS: 'bceid-business', // Business BCeID
-    IDIR: 'idir', // IDIR
-  },
   EXPORT_TYPES: {
     submissions: 'submissions',
     default: 'submissions',
diff --git a/app/src/forms/common/models/tables/identityProvider.js b/app/src/forms/common/models/tables/identityProvider.js
index d340e4c3c..b41870185 100644
--- a/app/src/forms/common/models/tables/identityProvider.js
+++ b/app/src/forms/common/models/tables/identityProvider.js
@@ -18,6 +18,11 @@ class IdentityProvider extends Timestamps(Model) {
           query.where('active', value);
         }
       },
+      filterIdp(query, value) {
+        if (value !== undefined) {
+          query.where('idp', value);
+        }
+      },
       orderDefault(builder) {
         builder.orderByRaw('"identity_provider"."primary" DESC NULLS LAST, lower("identity_provider"."code")');
       },
@@ -37,6 +42,7 @@ class IdentityProvider extends Timestamps(Model) {
         login: { type: 'boolean' },
         permissions: { type: ['array', 'null'], items: { type: 'string' } },
         roles: { type: ['array', 'null'], items: { type: 'string' } },
+        tokenmap: { type: 'object' },
         extra: { type: 'object' },
         ...stamps,
       },
diff --git a/app/src/forms/common/models/tables/user.js b/app/src/forms/common/models/tables/user.js
index 6124e4f41..c609f08e3 100644
--- a/app/src/forms/common/models/tables/user.js
+++ b/app/src/forms/common/models/tables/user.js
@@ -1,6 +1,6 @@
 const { Model } = require('objection');
 const { Timestamps } = require('../mixins');
-const { Regex, Restricted } = require('../../constants');
+const { Regex } = require('../../constants');
 const stamps = require('../jsonSchema').stamps;
 
 class User extends Timestamps(Model) {
@@ -40,9 +40,6 @@ class User extends Timestamps(Model) {
           query.where('idpCode', value);
         }
       },
-      filterRestricted(query) {
-        query.whereNotIn('idpCode', Object.values(Restricted.IDP));
-      },
       filterUsername(query, value, exact = false) {
         if (value) {
           if (exact) query.where('username', value);
diff --git a/app/src/forms/form/routes.js b/app/src/forms/form/routes.js
index cddf0c9e3..5cda8814c 100644
--- a/app/src/forms/form/routes.js
+++ b/app/src/forms/form/routes.js
@@ -1,4 +1,3 @@
-const config = require('config');
 const routes = require('express').Router();
 const apiAccess = require('../auth/middleware/apiAccess');
 const { currentUser, hasFormPermissions } = require('../auth/middleware/userAccess');
@@ -6,7 +5,7 @@ const params = require('../auth/middleware/params');
 const P = require('../common/constants').Permissions;
 const rateLimiter = require('../common/middleware').apiKeyRateLimiter;
 
-const keycloak = require('../../components/keycloak');
+const jwtService = require('../../components/jwtService');
 const controller = require('./controller');
 
 routes.use(currentUser);
@@ -15,7 +14,7 @@ routes.param('formId', params.validateFormId);
 routes.param('formVersionDraftId', params.validateFormVersionDraftId);
 routes.param('formVersionId', params.validateFormVersionId);
 
-routes.get('/', keycloak.protect(`${config.get('server.keycloak.clientId')}:admin`), async (req, res, next) => {
+routes.get('/', jwtService.protect('admin'), async (req, res, next) => {
   await controller.listForms(req, res, next);
 });
 
diff --git a/app/src/forms/permission/routes.js b/app/src/forms/permission/routes.js
index bd9ad9b13..83627e4ff 100644
--- a/app/src/forms/permission/routes.js
+++ b/app/src/forms/permission/routes.js
@@ -1,12 +1,11 @@
-const config = require('config');
 const routes = require('express').Router();
 
 const currentUser = require('../auth/middleware/userAccess').currentUser;
 
 const controller = require('./controller');
-const keycloak = require('../../components/keycloak');
+const jwtService = require('../../components/jwtService');
 
-routes.use(keycloak.protect(`${config.get('server.keycloak.clientId')}:admin`));
+routes.use(jwtService.protect('admin'));
 routes.use(currentUser);
 
 routes.get('/', async (req, res, next) => {
diff --git a/app/src/forms/rbac/routes.js b/app/src/forms/rbac/routes.js
index 35c463f3b..70002e0b4 100644
--- a/app/src/forms/rbac/routes.js
+++ b/app/src/forms/rbac/routes.js
@@ -1,19 +1,18 @@
-const config = require('config');
 const routes = require('express').Router();
 
 const controller = require('./controller');
-const keycloak = require('../../components/keycloak');
+const jwtService = require('../../components/jwtService');
 const P = require('../common/constants').Permissions;
 const R = require('../common/constants').Roles;
 const { currentUser, hasFormPermissions, hasSubmissionPermissions, hasFormRoles, hasRolePermissions } = require('../auth/middleware/userAccess');
 
 routes.use(currentUser);
 
-routes.get('/current', keycloak.protect(), async (req, res, next) => {
+routes.get('/current', jwtService.protect(), async (req, res, next) => {
   await controller.getCurrentUser(req, res, next);
 });
 
-routes.get('/current/submissions', keycloak.protect(), async (req, res, next) => {
+routes.get('/current/submissions', jwtService.protect(), async (req, res, next) => {
   await controller.getCurrentUserSubmissions(req, res, next);
 });
 
@@ -37,7 +36,7 @@ routes.put('/submissions', hasSubmissionPermissions(P.SUBMISSION_UPDATE), async
   await controller.setSubmissionUserPermissions(req, res, next);
 });
 
-routes.get('/users', keycloak.protect(`${config.get('server.keycloak.clientId')}:admin`), async (req, res, next) => {
+routes.get('/users', jwtService.protect('admin'), async (req, res, next) => {
   await controller.getUserForms(req, res, next);
 });
 
diff --git a/app/src/forms/rbac/service.js b/app/src/forms/rbac/service.js
index 838feb9c8..cbee7e3b5 100644
--- a/app/src/forms/rbac/service.js
+++ b/app/src/forms/rbac/service.js
@@ -1,9 +1,11 @@
 const Problem = require('api-problem');
 const { v4: uuidv4 } = require('uuid');
-const { FormRoleUser, FormSubmissionUser, IdentityProvider, User, UserFormAccess, UserSubmissions } = require('../common/models');
+const { FormRoleUser, FormSubmissionUser, User, UserFormAccess, UserSubmissions } = require('../common/models');
 const { Roles } = require('../common/constants');
 const { queryUtils } = require('../common/utils');
 const authService = require('../auth/service');
+const idpService = require('../../components/idpService');
+
 const service = {
   list: async () => {
     return FormRoleUser.query().allowGraph('[form, userRole, user]').withGraphFetched('[form, userRole, user]').modify('orderCreatedAtDescending');
@@ -75,7 +77,10 @@ const service = {
       if (params.team) accessLevels.push('team');
     }
 
-    const forms = await authService.getUserForms(user, { ...params, active: true });
+    const forms = await authService.getUserForms(user, {
+      ...params,
+      active: true,
+    });
     const filteredForms = authService.filterForms(user, forms, accessLevels);
     user.forms = filteredForms;
 
@@ -271,7 +276,10 @@ const service = {
       if (items && items.length) await FormRoleUser.query(trx).insert(items);
       await trx.commit();
       // return the new mappings
-      const result = await service.getUserForms({ userId: userId, formId: formId });
+      const result = await service.getUserForms({
+        userId: userId,
+        formId: formId,
+      });
       return result;
     } catch (err) {
       if (trx) await trx.rollback();
@@ -280,7 +288,7 @@ const service = {
   },
 
   getIdentityProviders: (params) => {
-    return IdentityProvider.query().modify('filterActive', params.active).modify('orderDefault');
+    return idpService.getIdentityProviders(params.active);
   },
 };
 
diff --git a/app/src/forms/role/routes.js b/app/src/forms/role/routes.js
index 4042f8943..4bb8c83cd 100644
--- a/app/src/forms/role/routes.js
+++ b/app/src/forms/role/routes.js
@@ -1,26 +1,25 @@
-const config = require('config');
 const routes = require('express').Router();
 
 const currentUser = require('../auth/middleware/userAccess').currentUser;
 
 const controller = require('./controller');
-const keycloak = require('../../components/keycloak');
+const jwtService = require('../../components/jwtService');
 
 routes.use(currentUser);
 
-routes.get('/', keycloak.protect(), async (req, res, next) => {
+routes.get('/', jwtService.protect(), async (req, res, next) => {
   await controller.list(req, res, next);
 });
 
-routes.post('/', keycloak.protect(`${config.get('server.keycloak.clientId')}:admin`), async (req, res, next) => {
+routes.post('/', jwtService.protect('admin'), async (req, res, next) => {
   await controller.create(req, res, next);
 });
 
-routes.get('/:code', keycloak.protect(), async (req, res, next) => {
+routes.get('/:code', jwtService.protect(), async (req, res, next) => {
   await controller.read(req, res, next);
 });
 
-routes.put('/:code', keycloak.protect(`${config.get('server.keycloak.clientId')}:admin`), async (req, res, next) => {
+routes.put('/:code', jwtService.protect('admin'), async (req, res, next) => {
   await controller.update(req, res, next);
 });
 
diff --git a/app/src/forms/user/routes.js b/app/src/forms/user/routes.js
index 2dd90ca4a..032cd6513 100644
--- a/app/src/forms/user/routes.js
+++ b/app/src/forms/user/routes.js
@@ -2,9 +2,9 @@ const routes = require('express').Router();
 const controller = require('./controller');
 
 const currentUser = require('../auth/middleware/userAccess').currentUser;
-const keycloak = require('../../components/keycloak');
+const jwtService = require('../../components/jwtService');
 
-routes.use(keycloak.protect());
+routes.use(jwtService.protect());
 routes.use(currentUser);
 
 //
diff --git a/app/src/forms/user/service.js b/app/src/forms/user/service.js
index 31449c45f..1a00c27b3 100644
--- a/app/src/forms/user/service.js
+++ b/app/src/forms/user/service.js
@@ -1,33 +1,21 @@
 const Problem = require('api-problem');
 const { v4: uuidv4 } = require('uuid');
 const { User, UserFormPreferences, Label } = require('../common/models');
-const { IdentityProviders } = require('../common/constants');
+const idpService = require('../../components/idpService');
 
 const service = {
   //
   // User
   //
   list: (params) => {
-    let exact = false;
-    if (params.idpCode && (params.idpCode === IdentityProviders.BCEIDBASIC || params.idpCode === IdentityProviders.BCEIDBUSINESS)) {
-      if (!params.email && !params.username) {
-        throw new Problem(422, {
-          detail: 'Could not retrieve BCeID users. Invalid options provided.',
-        });
-      }
-      exact = true;
+    try {
+      // returns a promise, so caller needs to await.
+      return idpService.userSearch(params);
+    } catch (e) {
+      throw new Problem(422, {
+        detail: e.message,
+      });
     }
-
-    return User.query()
-      .modify('filterIdpUserId', params.idpUserId)
-      .modify('filterIdpCode', params.idpCode)
-      .modify('filterUsername', params.username, exact)
-      .modify('filterFullName', params.fullName)
-      .modify('filterFirstName', params.firstName)
-      .modify('filterLastName', params.lastName)
-      .modify('filterEmail', params.email, exact)
-      .modify('filterSearch', params.search)
-      .modify('orderLastFirstAscending');
   },
 
   read: (userId) => {
diff --git a/app/tests/unit/forms/auth/authService.spec.js b/app/tests/unit/forms/auth/authService.spec.js
index ba5df636c..e9d297f79 100644
--- a/app/tests/unit/forms/auth/authService.spec.js
+++ b/app/tests/unit/forms/auth/authService.spec.js
@@ -1,12 +1,13 @@
 const service = require('../../../../src/forms/auth/service');
+const idpService = require('../../../../src/components/idpService');
 
 afterEach(() => {
   jest.clearAllMocks();
 });
 
 describe('parseToken', () => {
-  it('returns a default object when an exception happens', () => {
-    const result = service.parseToken(undefined);
+  it('returns a default object when an exception happens', async () => {
+    const result = await idpService.parseToken(undefined);
     expect(result).toEqual({
       idpUserId: undefined,
       username: 'public',
@@ -44,17 +45,19 @@ describe('formAccessToForm', () => {
 describe('login', () => {
   const resultSample = {
     user: 'me',
+    idpHint: 'fake',
   };
 
   it('returns a currentUser object', async () => {
-    service.parseToken = jest.fn().mockReturnValue('userInf');
+    idpService.parseToken = jest.fn().mockReturnValue({ idp: 'fake' });
+    idpService.findByIdp = jest.fn().mockReturnValue({ idp: 'fake', code: 'fake' });
     service.getUserId = jest.fn().mockReturnValue({ user: 'me' });
     const token = 'token';
     const result = await service.login(token);
-    expect(service.parseToken).toHaveBeenCalledTimes(1);
-    expect(service.parseToken).toHaveBeenCalledWith(token);
+    expect(idpService.parseToken).toHaveBeenCalledTimes(1);
+    expect(idpService.parseToken).toHaveBeenCalledWith(token);
     expect(service.getUserId).toHaveBeenCalledTimes(1);
-    expect(service.getUserId).toHaveBeenCalledWith('userInf');
+    expect(service.getUserId).toHaveBeenCalledWith({ idp: 'fake' });
     expect(result).toBeTruthy();
     expect(result).toEqual(resultSample);
   });
diff --git a/app/tests/unit/forms/auth/middleware/userAccess.spec.js b/app/tests/unit/forms/auth/middleware/userAccess.spec.js
index a3bbd5f75..fd81ccc93 100644
--- a/app/tests/unit/forms/auth/middleware/userAccess.spec.js
+++ b/app/tests/unit/forms/auth/middleware/userAccess.spec.js
@@ -3,16 +3,10 @@ const Problem = require('api-problem');
 
 const { currentUser, hasFormPermissions, hasSubmissionPermissions, hasFormRoles, hasRolePermissions } = require('../../../../../src/forms/auth/middleware/userAccess');
 
-const keycloak = require('../../../../../src/components/keycloak');
+const jwtService = require('../../../../../src/components/jwtService');
 const service = require('../../../../../src/forms/auth/service');
 const rbacService = require('../../../../../src/forms/rbac/service');
 
-const kauth = {
-  grant: {
-    access_token: 'fsdfhsd08f0283hr',
-  },
-};
-
 const userId = 'c6455376-382c-439d-a811-0381a012d695';
 const userId2 = 'c6455376-382c-439d-a811-0381a012d696';
 const formId = 'c6455376-382c-439d-a811-0381a012d697';
@@ -26,7 +20,9 @@ const Roles = {
 };
 
 // Mock the token validation in the KC lib
-keycloak.grantManager.validateAccessToken = jest.fn().mockReturnValue('yeah ok');
+jwtService.validateAccessToken = jest.fn().mockReturnValue(true);
+jwtService.getBearerToken = jest.fn().mockReturnValue('bearer-token-value');
+jwtService.getTokenPayload = jest.fn().mockReturnValue({ token: 'payload' });
 
 // Mock the service login
 const mockUser = { user: 'me' };
@@ -50,16 +46,16 @@ describe('currentUser', () => {
       headers: {
         authorization: 'Bearer hjvds0uds',
       },
-      kauth: kauth,
     };
 
     const nxt = jest.fn();
 
     await currentUser(testReq, testRes, nxt);
-    expect(keycloak.grantManager.validateAccessToken).toHaveBeenCalledTimes(1);
-    expect(keycloak.grantManager.validateAccessToken).toHaveBeenCalledWith('hjvds0uds');
+    expect(jwtService.validateAccessToken).toHaveBeenCalledTimes(1);
+    expect(jwtService.getBearerToken).toHaveBeenCalledTimes(1);
+    expect(jwtService.validateAccessToken).toHaveBeenCalledWith('bearer-token-value');
     expect(service.login).toHaveBeenCalledTimes(1);
-    expect(service.login).toHaveBeenCalledWith(kauth.grant.access_token);
+    expect(service.login).toHaveBeenCalledWith({ token: 'payload' });
     expect(testReq.currentUser).toEqual(mockUser);
     expect(nxt).toHaveBeenCalledTimes(1);
     expect(nxt).toHaveBeenCalledWith();
@@ -76,11 +72,12 @@ describe('currentUser', () => {
       headers: {
         authorization: 'Bearer hjvds0uds',
       },
-      kauth: kauth,
     };
 
     await currentUser(testReq, testRes, jest.fn());
-    expect(service.login).toHaveBeenCalledWith(kauth.grant.access_token);
+    expect(jwtService.getBearerToken).toHaveBeenCalledTimes(1);
+    expect(jwtService.getTokenPayload).toHaveBeenCalledTimes(1);
+    expect(service.login).toHaveBeenCalledWith({ token: 'payload' });
   });
 
   it('uses the query param if both if that is whats provided', async () => {
@@ -91,11 +88,12 @@ describe('currentUser', () => {
       headers: {
         authorization: 'Bearer hjvds0uds',
       },
-      kauth: kauth,
     };
 
     await currentUser(testReq, testRes, jest.fn());
-    expect(service.login).toHaveBeenCalledWith(kauth.grant.access_token);
+    expect(jwtService.getBearerToken).toHaveBeenCalledTimes(1);
+    expect(jwtService.getTokenPayload).toHaveBeenCalledTimes(1);
+    expect(service.login).toHaveBeenCalledWith({ token: 'payload' });
   });
 
   it('403s if the token is invalid', async () => {
@@ -106,27 +104,33 @@ describe('currentUser', () => {
     };
 
     const nxt = jest.fn();
-    keycloak.grantManager.validateAccessToken = jest.fn().mockReturnValue(undefined);
+    jwtService.validateAccessToken = jest.fn().mockReturnValue(false);
 
     await currentUser(testReq, testRes, nxt);
-    expect(keycloak.grantManager.validateAccessToken).toHaveBeenCalledTimes(1);
-    expect(keycloak.grantManager.validateAccessToken).toHaveBeenCalledWith('hjvds0uds');
+    expect(jwtService.getBearerToken).toHaveBeenCalledTimes(1);
+    expect(jwtService.validateAccessToken).toHaveBeenCalledTimes(1);
+    expect(jwtService.validateAccessToken).toHaveBeenCalledWith('bearer-token-value');
     expect(service.login).toHaveBeenCalledTimes(0);
     expect(testReq.currentUser).toEqual(undefined);
     expect(nxt).toHaveBeenCalledTimes(0);
-    // expect(nxt).toHaveBeenCalledWith(new Problem(403, { detail: 'Authorization token is invalid.' }));
+    //expect(nxt).toHaveBeenCalledWith(new Problem(403, { detail: 'Authorization token is invalid.' }));
   });
 });
 
 describe('getToken', () => {
-  it('returns a null token if no kauth in the request', async () => {
+  it('returns a null token if no auth bearer in the headers', async () => {
     const testReq = {
       params: {
         formId: 2,
       },
     };
 
+    jwtService.getBearerToken = jest.fn().mockReturnValue(null);
+    jwtService.getTokenPayload = jest.fn().mockReturnValue(null);
+
     await currentUser(testReq, testRes, jest.fn());
+    expect(jwtService.getBearerToken).toHaveBeenCalledTimes(1);
+    expect(jwtService.getTokenPayload).toHaveBeenCalledTimes(1);
     expect(service.login).toHaveBeenCalledTimes(1);
     expect(service.login).toHaveBeenCalledWith(null);
   });
@@ -513,7 +517,10 @@ describe('hasSubmissionPermissions', () => {
   it('falls through to the query if the current user does not have any FORM access on the current form', async () => {
     service.getSubmissionForm = jest.fn().mockReturnValue({
       submission: { deleted: false },
-      form: { id: '999', identityProviders: [{ code: 'idir' }, { code: 'bceid' }] },
+      form: {
+        id: '999',
+        identityProviders: [{ code: 'idir' }, { code: 'bceid' }],
+      },
     });
     service.checkSubmissionPermission = jest.fn().mockReturnValue(undefined);
 
@@ -688,7 +695,11 @@ describe('hasFormRoles', () => {
     await hfr(req, testRes, nxt);
 
     expect(nxt).toHaveBeenCalledTimes(1);
-    expect(nxt).toHaveBeenCalledWith(new Problem(401, { detail: 'You do not have permission to update this role.' }));
+    expect(nxt).toHaveBeenCalledWith(
+      new Problem(401, {
+        detail: 'You do not have permission to update this role.',
+      })
+    );
   });
 
   it('falls through if the current user does not have all of the required form roles', async () => {
@@ -706,7 +717,11 @@ describe('hasFormRoles', () => {
     await hfr(req, testRes, nxt);
 
     expect(nxt).toHaveBeenCalledTimes(1);
-    expect(nxt).toHaveBeenCalledWith(new Problem(401, { detail: 'You do not have permission to update this role.' }));
+    expect(nxt).toHaveBeenCalledWith(
+      new Problem(401, {
+        detail: 'You do not have permission to update this role.',
+      })
+    );
   });
 
   it('moves on if the user has at least one of the required form roles', async () => {
@@ -975,7 +990,7 @@ describe('hasRolePermissions', () => {
             updatedAt: '',
           },
           {
-            id: '5',
+            id: '6',
             role: Roles.FORM_SUBMITTER,
             formId: formId,
             userId: userId2,
@@ -1071,7 +1086,11 @@ describe('hasRolePermissions', () => {
           await hrp(req, testRes, nxt);
 
           expect(nxt).toHaveBeenCalledTimes(1);
-          expect(nxt).toHaveBeenCalledWith(new Problem(401, { detail: "You can't remove your own team manager role." }));
+          expect(nxt).toHaveBeenCalledWith(
+            new Problem(401, {
+              detail: "You can't remove your own team manager role.",
+            })
+          );
         });
       });
 
@@ -1332,7 +1351,11 @@ describe('hasRolePermissions', () => {
             await hrp(req, testRes, nxt);
 
             expect(nxt).toHaveBeenCalledTimes(1);
-            expect(nxt).toHaveBeenCalledWith(new Problem(401, { detail: "You can't add a form designer role." }));
+            expect(nxt).toHaveBeenCalledWith(
+              new Problem(401, {
+                detail: "You can't add a form designer role.",
+              })
+            );
           });
 
           it('falls through if trying to remove a designer role', async () => {
@@ -1401,7 +1424,11 @@ describe('hasRolePermissions', () => {
             await hrp(req, testRes, nxt);
 
             expect(nxt).toHaveBeenCalledTimes(1);
-            expect(nxt).toHaveBeenCalledWith(new Problem(401, { detail: "You can't remove a form designer role." }));
+            expect(nxt).toHaveBeenCalledWith(
+              new Problem(401, {
+                detail: "You can't remove a form designer role.",
+              })
+            );
           });
 
           it('should succeed when adding a manager/reviewer/submitter roles', async () => {
diff --git a/app/tests/unit/forms/user/service.spec.js b/app/tests/unit/forms/user/service.spec.js
index 63fd60bf3..6036ad793 100644
--- a/app/tests/unit/forms/user/service.spec.js
+++ b/app/tests/unit/forms/user/service.spec.js
@@ -5,6 +5,7 @@ jest.mock('../../../../src/forms/common/models/tables/userFormPreferences', () =
 jest.mock('../../../../src/forms/common/models/tables/label', () => MockModel);
 
 const service = require('../../../../src/forms/user/service');
+const idpService = require('../../../../src/components/idpService');
 
 const formId = '4d33f4cb-0b72-4c3d-9e41-f2651805fee1';
 const userId = 'cc8c64b7-a457-456e-ade0-09ff7ee75a2b';
@@ -15,6 +16,8 @@ beforeEach(() => {
   MockTransaction.mockReset();
 });
 
+idpService.findByCode = jest.fn().mockReturnValue(null);
+
 describe('list', () => {
   it('should query user table by id', async () => {
     const params = {
diff --git a/app/tests/unit/routes/v1/admin.spec.js b/app/tests/unit/routes/v1/admin.spec.js
index 7bcfd20d0..476562752 100644
--- a/app/tests/unit/routes/v1/admin.spec.js
+++ b/app/tests/unit/routes/v1/admin.spec.js
@@ -6,12 +6,12 @@ const { expressHelper } = require('../../../common/helper');
 //
 // mock middleware
 //
-const keycloak = require('../../../../src/components/keycloak');
+const jwtService = require('../../../../src/components/jwtService');
 
 //
 // test assumes that caller has appropriate token, we are not testing middleware here...
 //
-keycloak.protect = jest.fn(() => {
+jwtService.protect = jest.fn(() => {
   return jest.fn((_req, _res, next) => {
     next();
   });
diff --git a/app/tests/unit/routes/v1/form.spec.js b/app/tests/unit/routes/v1/form.spec.js
index b0b90bbf5..40415fa4a 100644
--- a/app/tests/unit/routes/v1/form.spec.js
+++ b/app/tests/unit/routes/v1/form.spec.js
@@ -7,12 +7,12 @@ const { expressHelper } = require('../../../common/helper');
 //
 // mock middleware
 //
-const keycloak = require('../../../../src/components/keycloak');
+const jwtService = require('../../../../src/components/jwtService');
 
 //
 // test assumes that caller has appropriate token, we are not testing middleware here...
 //
-keycloak.protect = jest.fn(() => {
+jwtService.protect = jest.fn(() => {
   return jest.fn((_req, _res, next) => {
     next();
   });
diff --git a/app/tests/unit/routes/v1/permission.spec.js b/app/tests/unit/routes/v1/permission.spec.js
index b95055757..ebcc1038b 100644
--- a/app/tests/unit/routes/v1/permission.spec.js
+++ b/app/tests/unit/routes/v1/permission.spec.js
@@ -6,12 +6,12 @@ const { expressHelper } = require('../../../common/helper');
 //
 // mock middleware
 //
-const keycloak = require('../../../../src/components/keycloak');
+const jwtService = require('../../../../src/components/jwtService');
 
 //
 // test assumes that caller has appropriate token, we are not testing middleware here...
 //
-keycloak.protect = jest.fn(() => {
+jwtService.protect = jest.fn(() => {
   return jest.fn((_req, _res, next) => {
     next();
   });
diff --git a/app/tests/unit/routes/v1/rbac.spec.js b/app/tests/unit/routes/v1/rbac.spec.js
index 3cea1e408..4744ff848 100644
--- a/app/tests/unit/routes/v1/rbac.spec.js
+++ b/app/tests/unit/routes/v1/rbac.spec.js
@@ -6,12 +6,12 @@ const { expressHelper } = require('../../../common/helper');
 //
 // mock middleware
 //
-const keycloak = require('../../../../src/components/keycloak');
+const jwtService = require('../../../../src/components/jwtService');
 
 //
 // test assumes that caller has appropriate token, we are not testing middleware here...
 //
-keycloak.protect = jest.fn(() => {
+jwtService.protect = jest.fn(() => {
   return jest.fn((_req, _res, next) => {
     next();
   });
diff --git a/app/tests/unit/routes/v1/role.spec.js b/app/tests/unit/routes/v1/role.spec.js
index 7a388ef19..83c107f16 100644
--- a/app/tests/unit/routes/v1/role.spec.js
+++ b/app/tests/unit/routes/v1/role.spec.js
@@ -6,12 +6,12 @@ const { expressHelper } = require('../../../common/helper');
 //
 // mock middleware
 //
-const keycloak = require('../../../../src/components/keycloak');
+const jwtService = require('../../../../src/components/jwtService');
 
 //
 // test assumes that caller has appropriate token, we are not testing middleware here...
 //
-keycloak.protect = jest.fn(() => {
+jwtService.protect = jest.fn(() => {
   return jest.fn((_req, _res, next) => {
     next();
   });
diff --git a/app/tests/unit/routes/v1/user.spec.js b/app/tests/unit/routes/v1/user.spec.js
index 9b882fc3d..1bb9d0f0c 100644
--- a/app/tests/unit/routes/v1/user.spec.js
+++ b/app/tests/unit/routes/v1/user.spec.js
@@ -6,12 +6,12 @@ const { expressHelper } = require('../../../common/helper');
 //
 // mock middleware
 //
-const keycloak = require('../../../../src/components/keycloak');
+const jwtService = require('../../../../src/components/jwtService');
 
 //
 // test assumes that caller has appropriate token, we are not testing middleware here...
 //
-keycloak.protect = jest.fn(() => {
+jwtService.protect = jest.fn(() => {
   return jest.fn((_req, _res, next) => {
     next();
   });