Keycloak
Feature availability
Section titled “Feature availability”| Feature | Support |
|---|---|
| OAuth2/OIDC clients | ✅ Full |
| SAML clients | ✅ Full |
| Resource servers | ❌ Not supported |
| Client cloning | ✅ Full |
-
Create a confidential admin client
In the Keycloak Admin Console, in the realm you want Taco to manage, go to Clients → Create client. Enable Client authentication and Service accounts roles, then save.
-
Grant realm-management roles
On the new client’s Service account roles tab, assign the
manage-clients,view-clients, andquery-clientsroles from therealm-managementclient. -
Copy the client secret
On the Credentials tab, copy the Client secret.
-
Set environment variables
Terminal window OPENID_PROVIDER=keycloakKEYCLOAK_BASE_URL=https://keycloak.example.comKEYCLOAK_REALM=your-realmKEYCLOAK_ADMIN_CLIENT_ID=taco-adminKEYCLOAK_ADMIN_CLIENT_SECRET=your-client-secret
Client management notes
Section titled “Client management notes”- OAuth2/OIDC clients map directly to Keycloak
openid-connectclients. Grant types map to Keycloak’s flow toggles (standardFlowEnabled,implicitFlowEnabled,directAccessGrantsEnabled,serviceAccountsEnabled); the device code grant maps to theoauth2.device.authorization.grant.enabledclient attribute. The JWT bearer grant is not offered — Keycloak has no equivalent toggle in the client representation. - Keycloak does not distinguish
client_secret_postfromclient_secret_basicdelivery at the token endpoint — both are accepted for any secret-based client, so Taco reportsclient_secret_basicfor all confidential clients. - SAML clients map to Keycloak
samlclients, with the client’sclientIdset to the SAML entity ID. Signing defaults toRSA_SHA256with POST binding and a signed assertion; adjust encryption, additional signature settings, and attribute/role mappers directly in the Keycloak Admin Console for finer control. - Client secrets are fetched from Keycloak’s dedicated
/client-secretendpoint rather than the client representation itself. - Resource servers are not modeled by Taco for this provider — manage Keycloak client scopes and authorization services directly in the Keycloak Admin Console.
OIDC login (optional)
Section titled “OIDC login (optional)”To protect the Taco dashboard with Keycloak SSO, register a separate confidential OIDC client (standard flow) in the same or a different realm:
AUTH_CLIENT_OPENID_CONFIGURATION_URL=https://keycloak.example.com/realms/your-realmAUTH_CLIENT_ID=your-oidc-client-idAUTH_CLIENT_SECRET=your-oidc-client-secretAdd <BASE_URL>/api/auth/callback/oidc to the client’s Valid redirect URIs.