Keycloak Skill
Provides comprehensive Keycloak identity and access management capabilities for the Alpha Members Platform.
When to Use This Skill
Activate this skill when working with:
- Keycloak realm configuration
- Client setup and management
- Authentication flows (MFA, OTP, WebAuthn)
- User federation (LDAP, Active Directory)
- Identity providers (SAML, OIDC, social login)
- Theme customization
- Role-based access control
Quick Reference
Common Commands
# Start Keycloak in dev mode
docker-compose up keycloak keycloak-db -d
# Export realm configuration
docker exec keycloak /opt/keycloak/bin/kc.sh export \
--realm alpha-members \
--dir /tmp/export \
--users realm_file
# Import realm
docker exec keycloak /opt/keycloak/bin/kc.sh import \
--dir /opt/keycloak/data/import
# Get admin token
curl -X POST "http://localhost:8080/realms/master/protocol/openid-connect/token" \
-d "client_id=admin-cli" \
-d "username=admin" \
-d "password=admin" \
-d "grant_type=password"
# Health check
curl http://localhost:8080/health/ready
Admin REST API
# Base URL
KEYCLOAK_URL="http://localhost:8080"
REALM="alpha-members"
# List users
curl -H "Authorization: Bearer $TOKEN" \
"$KEYCLOAK_URL/admin/realms/$REALM/users"
# Create client
curl -X POST -H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
"$KEYCLOAK_URL/admin/realms/$REALM/clients" \
-d '{"clientId": "new-client", "enabled": true}'
# Get realm roles
curl -H "Authorization: Bearer $TOKEN" \
"$KEYCLOAK_URL/admin/realms/$REALM/roles"
Realm Configuration
alpha-members Realm
{
"realm": "alpha-members",
"enabled": true,
"sslRequired": "external",
"registrationAllowed": true,
"registrationEmailAsUsername": true,
"verifyEmail": true,
"bruteForceProtected": true,
"failureFactor": 5,
"maxFailureWaitSeconds": 900
}
Default Roles
- admin - Full administrative access
- member - Standard member access
- guest - Limited guest access
Client Roles (member-api)
- members:read
- members:write
- members:delete
- members:admin
Authentication Flows
Browser Flow (Default)
- Cookie (ALTERNATIVE)
- Identity Provider Redirector (ALTERNATIVE)
- Forms:
- Username/Password (REQUIRED)
- Conditional OTP (CONDITIONAL)
Custom MFA Flow
alpha-mfa-flow:
- Username Password Form (REQUIRED)
- Conditional OTP:
- Condition: User Role (admin)
- OTP Form (REQUIRED)
Client Configuration
member-api (Backend Service)
{
"clientId": "member-api",
"enabled": true,
"clientAuthenticatorType": "client-secret",
"serviceAccountsEnabled": true,
"directAccessGrantsEnabled": true,
"publicClient": false,
"protocol": "openid-connect"
}
member-ui (Frontend SPA)
{
"clientId": "member-ui",
"enabled": true,
"publicClient": true,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"redirectUris": ["http://localhost:3000/*"],
"webOrigins": ["+"],
"protocol": "openid-connect",
"attributes": {
"pkce.code.challenge.method": "S256"
}
}
Token Configuration
Access Token Lifespan: 1 hour (3600s)
Implicit Flow Lifespan: 15 minutes (900s)
SSO Session Idle: 30 minutes (1800s)
SSO Session Max: 10 hours (36000s)
Offline Session Idle: 30 days (2592000s)
OIDC Endpoints
Authorization: /realms/alpha-members/protocol/openid-connect/auth
Token: /realms/alpha-members/protocol/openid-connect/token
UserInfo: /realms/alpha-members/protocol/openid-connect/userinfo
Logout: /realms/alpha-members/protocol/openid-connect/logout
JWKS: /realms/alpha-members/protocol/openid-connect/certs
Discovery: /realms/alpha-members/.well-known/openid-configuration
Theme Customization
Theme Structure
keycloak/themes/alpha/
├── theme.properties
├── login/
│ ├── theme.properties
│ ├── resources/css/login.css
│ └── messages/messages_en.properties
├── account/
└── email/
Theme Properties
parent=keycloak
import=common/keycloak
styles=css/login.css
locales=en
User Federation
LDAP Configuration
Vendor: Active Directory
Connection URL: ldaps://ldap.corporate.com:636
Users DN: OU=Users,DC=corporate,DC=com
Username Attribute: sAMAccountName
Edit Mode: READ_ONLY
Sync Mode: IMPORT
Security Best Practices
- Enable brute force protection
- Require email verification
- Use SSL/TLS in production (sslRequired: all)
- Configure proper token lifetimes
- Enable audit logging
- Use PKCE for public clients
- Implement MFA for admin roles
Project Files
- Realm Config:
keycloak/realm-config/alpha-realm.json - Docker:
docker/docker-compose.yml(keycloak service) - Themes:
keycloak/themes/alpha/
Related Agents
- keycloak-realm-admin - Realm and client management
- keycloak-theme-developer - Theme customization
- keycloak-identity-specialist - Federation and SSO
- keycloak-auth-flow-designer - Authentication flows
- keycloak-security-auditor - Security review
Troubleshooting
# Check Keycloak logs
docker logs keycloak -f --tail=100
# Test OIDC configuration
curl http://localhost:8080/realms/alpha-members/.well-known/openid-configuration
# Validate token
curl -X POST "http://localhost:8080/realms/alpha-members/protocol/openid-connect/token/introspect" \
-d "client_id=member-api" \
-d "client_secret=$CLIENT_SECRET" \
-d "token=$ACCESS_TOKEN"