Keycloak
Feature availability
Section titled “Feature availability”| Feature | Support |
|---|---|
| User management | ✅ Full |
| Organizations | ✅ Native (requires Keycloak 26.6+ with Organizations enabled) |
| Audit logs | ✅ Basic (requires Events enabled in realm) |
-
Create or choose a realm
In the Keycloak Admin Console, create a dedicated realm for your application users (e.g.
my-app) or use an existing one.Note the realm name — you will need it as
KEYCLOAK_REALM. -
Create a service account client
In your realm: Clients → Create client.
- Client type: OpenID Connect
- Client ID:
aums-management(or any name you prefer) - Client authentication: On (confidential)
- Service accounts roles: Enabled
- Standard flow / Direct access grants: Off (not needed)
-
Grant realm management permissions
Go to the client → Service accounts roles tab → Assign role.
Filter by realm-management client and assign:
manage-users— create, update, delete, disable usersview-users— list and read usersquery-users— required for search
For audit log access, also assign:
view-events— read realm events
For organization management, also assign:
manage-organizations— create, update, delete organizations and manage members
-
Copy the client secret
Go to the client → Credentials tab. Copy the Client secret.
-
Set environment variables
Terminal window PROVIDER=keycloakKEYCLOAK_BASE_URL=https://keycloak.example.comKEYCLOAK_REALM=my-appKEYCLOAK_CLIENT_ID=aums-managementKEYCLOAK_CLIENT_SECRET=your-client-secret
Organizations
Section titled “Organizations”Keycloak Organizations (introduced in Keycloak 26.0, stable in 26.6+) are supported natively. AUMS maps Keycloak organizations to its organization model:
| AUMS field | Keycloak field |
|---|---|
id | id |
name | name |
displayName | alias |
description | description |
Prerequisites:
- Keycloak version 26.6.0 or later.
- Organizations feature enabled in your realm: Realm settings → General → Organizations → On.
- Service account has the
manage-organizationsrole (see Setup step 3).
Invitations are sent via email using Keycloak’s built-in invitation flow. Ensure your realm has a working email provider configured (Realm settings → Email) before using the invite feature.
Audit logs
Section titled “Audit logs”Keycloak audit logs are read from the realm Events store. Events must be enabled in the realm settings:
- Go to Realm settings → Events tab.
- Enable Save events.
- Optionally extend Expiration to retain events longer (default: 1 day).
- Select the event types you want to track under Saved event types.
Once enabled, AUMS will surface user events (logins, failures, password resets, etc.) on the Audit Logs page, with filtering by user, event type, and date range.
OIDC login (optional)
Section titled “OIDC login (optional)”To protect the AUMS dashboard with Keycloak SSO, create a separate OpenID Connect client in Keycloak (standard flow, not service account):
AUTH_CLIENT_OPENID_CONFIGURATION_URL=https://keycloak.example.com/realms/my-appAUTH_CLIENT_ID=aums-dashboardAUTH_CLIENT_SECRET=your-oidc-client-secretAdd <BASE_URL>/api/auth/callback/oidc to the client’s Valid redirect URIs.