Keycloak Deployment

This repos contains all files required to deploy the keycloak service using docker-compose.

The deployment is tailored towards a setup using postgres as the database and running keycloak behind a reverse proxy using HTTP. If you want to use it with any other configuration, you will have to adapt the compose file. Furthermore, the setup utilizes a custom Keycloak image that is built without impersonation features.

Setup

Copy the sample.env file into a .env file and choose secure passwords. Then run docker compose up -d

Updating

Change the Postgres and Keycloak version in your .env file and run docker compose build (only required for updating Keycloak). Then run docker compose up -d again.

Configuration

The Keycloak configuration is not quite straight forward, which is why the following section contains some configuration examples. It is recommended to create a custom realm first instead of simply using the master realm.

Enforcing 2FA

In the realm management console under Authentication > Required Actions certain actions can be enabled and set to be the default action. Useful defaults might be to enforce Configure OTP, Update Password, Update Profile and Verify Email.

Creating a realm admin

Managing the custom realm can happen by using the global Keycloak admin, but it might make more sense to create per-realm admins. To do so, a new Realm Role can be added (e.g. named realm-admin). After creating this role, the action Add associated roles can be chosen. Choose to filter by clients and search for realm-management. Then choose all of the given roles and assign them to the realm-admin role. This role can be added to a given user under the Role Mapping tab in the users profile. Afterwards, the given realm can be managed using its web console on https://<keycloak>/admin/<realm>/console.