Skip to content

Keycloak

FeatureSupport
OAuth2/OIDC clients✅ Full
SAML clients✅ Full
Resource servers❌ Not supported
Client cloning✅ Full
  1. Create a confidential admin client

    In the Keycloak Admin Console, in the realm you want Taco to manage, go to Clients → Create client. Enable Client authentication and Service accounts roles, then save.

  2. Grant realm-management roles

    On the new client’s Service account roles tab, assign the manage-clients, view-clients, and query-clients roles from the realm-management client.

  3. Copy the client secret

    On the Credentials tab, copy the Client secret.

  4. Set environment variables

    Terminal window
    OPENID_PROVIDER=keycloak
    KEYCLOAK_BASE_URL=https://keycloak.example.com
    KEYCLOAK_REALM=your-realm
    KEYCLOAK_ADMIN_CLIENT_ID=taco-admin
    KEYCLOAK_ADMIN_CLIENT_SECRET=your-client-secret
  • OAuth2/OIDC clients map directly to Keycloak openid-connect clients. Grant types map to Keycloak’s flow toggles (standardFlowEnabled, implicitFlowEnabled, directAccessGrantsEnabled, serviceAccountsEnabled); the device code grant maps to the oauth2.device.authorization.grant.enabled client attribute. The JWT bearer grant is not offered — Keycloak has no equivalent toggle in the client representation.
  • Keycloak does not distinguish client_secret_post from client_secret_basic delivery at the token endpoint — both are accepted for any secret-based client, so Taco reports client_secret_basic for all confidential clients.
  • SAML clients map to Keycloak saml clients, with the client’s clientId set to the SAML entity ID. Signing defaults to RSA_SHA256 with POST binding and a signed assertion; adjust encryption, additional signature settings, and attribute/role mappers directly in the Keycloak Admin Console for finer control.
  • Client secrets are fetched from Keycloak’s dedicated /client-secret endpoint rather than the client representation itself.
  • Resource servers are not modeled by Taco for this provider — manage Keycloak client scopes and authorization services directly in the Keycloak Admin Console.

To protect the Taco dashboard with Keycloak SSO, register a separate confidential OIDC client (standard flow) in the same or a different realm:

Terminal window
AUTH_CLIENT_OPENID_CONFIGURATION_URL=https://keycloak.example.com/realms/your-realm
AUTH_CLIENT_ID=your-oidc-client-id
AUTH_CLIENT_SECRET=your-oidc-client-secret

Add <BASE_URL>/api/auth/callback/oidc to the client’s Valid redirect URIs.