name	keycloak
description	Keycloak identity and access management including realms, clients, authentication flows, themes, and user federation. Activate for OAuth2, OIDC, SAML, SSO, identity providers, and authentication configuration.
allowed-tools	Bash, Read, Write, Edit, Glob, Grep, WebFetch

Keycloak Skill

Provides comprehensive Keycloak identity and access management capabilities for the Alpha Members Platform.

When to Use This Skill

Activate this skill when working with:

Keycloak realm configuration
Client setup and management
Authentication flows (MFA, OTP, WebAuthn)
User federation (LDAP, Active Directory)
Identity providers (SAML, OIDC, social login)
Theme customization
Role-based access control

Quick Reference

Common Commands

# Start Keycloak in dev mode
docker-compose up keycloak keycloak-db -d

# Export realm configuration
docker exec keycloak /opt/keycloak/bin/kc.sh export \
  --realm alpha-members \
  --dir /tmp/export \
  --users realm_file

# Import realm
docker exec keycloak /opt/keycloak/bin/kc.sh import \
  --dir /opt/keycloak/data/import

# Get admin token
curl -X POST "http://localhost:8080/realms/master/protocol/openid-connect/token" \
  -d "client_id=admin-cli" \
  -d "username=admin" \
  -d "password=admin" \
  -d "grant_type=password"

# Health check
curl http://localhost:8080/health/ready

Admin REST API

# Base URL
KEYCLOAK_URL="http://localhost:8080"
REALM="alpha-members"

# List users
curl -H "Authorization: Bearer $TOKEN" \
  "$KEYCLOAK_URL/admin/realms/$REALM/users"

# Create client
curl -X POST -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  "$KEYCLOAK_URL/admin/realms/$REALM/clients" \
  -d '{"clientId": "new-client", "enabled": true}'

# Get realm roles
curl -H "Authorization: Bearer $TOKEN" \
  "$KEYCLOAK_URL/admin/realms/$REALM/roles"

Realm Configuration

alpha-members Realm

{
  "realm": "alpha-members",
  "enabled": true,
  "sslRequired": "external",
  "registrationAllowed": true,
  "registrationEmailAsUsername": true,
  "verifyEmail": true,
  "bruteForceProtected": true,
  "failureFactor": 5,
  "maxFailureWaitSeconds": 900
}

Default Roles

admin - Full administrative access
member - Standard member access
guest - Limited guest access

Client Roles (member-api)

members:read
members:write
members:delete
members:admin

Authentication Flows

Browser Flow (Default)

Cookie (ALTERNATIVE)
Identity Provider Redirector (ALTERNATIVE)
Forms:
- Username/Password (REQUIRED)
- Conditional OTP (CONDITIONAL)

Custom MFA Flow

alpha-mfa-flow:
  - Username Password Form (REQUIRED)
  - Conditional OTP:
    - Condition: User Role (admin)
    - OTP Form (REQUIRED)

Client Configuration

member-api (Backend Service)

{
  "clientId": "member-api",
  "enabled": true,
  "clientAuthenticatorType": "client-secret",
  "serviceAccountsEnabled": true,
  "directAccessGrantsEnabled": true,
  "publicClient": false,
  "protocol": "openid-connect"
}

member-ui (Frontend SPA)

{
  "clientId": "member-ui",
  "enabled": true,
  "publicClient": true,
  "standardFlowEnabled": true,
  "implicitFlowEnabled": false,
  "directAccessGrantsEnabled": false,
  "redirectUris": ["http://localhost:3000/*"],
  "webOrigins": ["+"],
  "protocol": "openid-connect",
  "attributes": {
    "pkce.code.challenge.method": "S256"
  }
}

Token Configuration

Access Token Lifespan: 1 hour (3600s)
Implicit Flow Lifespan: 15 minutes (900s)
SSO Session Idle: 30 minutes (1800s)
SSO Session Max: 10 hours (36000s)
Offline Session Idle: 30 days (2592000s)

OIDC Endpoints

Authorization: /realms/alpha-members/protocol/openid-connect/auth
Token: /realms/alpha-members/protocol/openid-connect/token
UserInfo: /realms/alpha-members/protocol/openid-connect/userinfo
Logout: /realms/alpha-members/protocol/openid-connect/logout
JWKS: /realms/alpha-members/protocol/openid-connect/certs
Discovery: /realms/alpha-members/.well-known/openid-configuration

Theme Customization

Theme Structure

keycloak/themes/alpha/
├── theme.properties
├── login/
│   ├── theme.properties
│   ├── resources/css/login.css
│   └── messages/messages_en.properties
├── account/
└── email/

Theme Properties

parent=keycloak
import=common/keycloak
styles=css/login.css
locales=en

User Federation

LDAP Configuration

Vendor: Active Directory
Connection URL: ldaps://ldap.corporate.com:636
Users DN: OU=Users,DC=corporate,DC=com
Username Attribute: sAMAccountName
Edit Mode: READ_ONLY
Sync Mode: IMPORT

Security Best Practices

Enable brute force protection
Require email verification
Use SSL/TLS in production (sslRequired: all)
Configure proper token lifetimes
Enable audit logging
Use PKCE for public clients
Implement MFA for admin roles

Project Files

Realm Config: keycloak/realm-config/alpha-realm.json
Docker: docker/docker-compose.yml (keycloak service)
Themes: keycloak/themes/alpha/

Related Agents

keycloak-realm-admin - Realm and client management
keycloak-theme-developer - Theme customization
keycloak-identity-specialist - Federation and SSO
keycloak-auth-flow-designer - Authentication flows
keycloak-security-auditor - Security review

Troubleshooting

# Check Keycloak logs
docker logs keycloak -f --tail=100

# Test OIDC configuration
curl http://localhost:8080/realms/alpha-members/.well-known/openid-configuration

# Validate token
curl -X POST "http://localhost:8080/realms/alpha-members/protocol/openid-connect/token/introspect" \
  -d "client_id=member-api" \
  -d "client_secret=$CLIENT_SECRET" \
  -d "token=$ACCESS_TOKEN"

keycloak

Install Skill

SKILL.md

Keycloak Skill

When to Use This Skill

Quick Reference

Common Commands

Admin REST API

Realm Configuration

alpha-members Realm

Default Roles

Client Roles (member-api)

Authentication Flows

Browser Flow (Default)

Custom MFA Flow

Client Configuration

member-api (Backend Service)

member-ui (Frontend SPA)

Token Configuration

OIDC Endpoints

Theme Customization

Theme Structure

Theme Properties

User Federation

LDAP Configuration

Security Best Practices

Project Files

Related Agents

Troubleshooting