Keycloak With Docker Compose

Posted on
keycloak iam idp sso docker

Keycloak is an open source Identity and Access Management System developed as a JBoss community project under the stewardship of Red Hat. Keycloak makes it is easy to secure apps and services written in many technologies using a large number client libraries.

Out of the box, we get things like Single Sign-On, Identity Brokering and Social Login, User Federation and Authorization Services.

With little to no code, we can give users of our apps the ability to sign in with Identity Providers like GitHub, Twitter or Google. Well, anything that’s capable of talking OpenID or SAML. On the other hand, we can easily connect to existing LDAP or Active Directory servers to integrate with corporate services of this world.

Here, I’m going to show how can we launch and configure a local Keycloak server to play with. The only dependency is docker with docker-compose.

Docker Compose

Docker Hub contains prebuilt Keycloak images. At the time of writing, the most recent version is 11.0.2.

Let’s start with the compose.yml file.

version: '3.3'

    image: postgres:9.6.17
    restart: always
      - local-keycloak

      - postgres
    container_name: local_keycloak
      DB_VENDOR: postgres
      DB_ADDR: postgres
    image: jboss/keycloak:${KEYCLOAK_VERSION}
      - "28080:8080"
    restart: always
      - local-keycloak


Next to the compose.yml file, we need the .env file.


That’s it, we can now start our Keycloak:

docker-compose -f compose.yml up

After a short moment, we can go to Keycloak landing page using the local address http://localhost:28080. Keycloak will welcome us with this page:

Clean Keycloak install


Before we move on, let’s quickly figure out what has happened so far.

  1. With Docker Compose, we have started a Keycloak server with PostgreSQL 9.6.17 as a database.
  2. Using the .env file, we have specified that we want Keycloak 11.0.2 and our Keycloak shall connect to Postgres using keycloak username and keycloak password as the credential.
  3. The database used by Keycloak is also called keycloak.
  4. The same variables are used for the postgres service.
  5. The Postgres container will automagically create a user identified by POSTGRES_USER variable, authenticated by the value of POSTGRES_PASSWORD.
  6. We have specified POSTGRES_DB so the container created the database and configured access for our new user.
  7. Both containers run in the same bridge network called local-keycloak. Actually, in Docker it’s called something else:
[rad] dev-keycloak $ docker network ls | grep keycloak
920dd184892c        dev-keycloak_local-keycloak              bridge              local

The name of the network is essentially:

basename $(pwd) + <name-from-compose.yml>
  1. We have exposed the 28080 port to the host so we can reach Keycloak from the browser.
  2. Finally, we named the Keycloak container as local_keycloak. We will use this name shortly.

Administrator account

Okay, so Keycloak is running but we can’t do anything with it because we need to create an Administrator account. That we can also do with Docker.

While the compose setup is running, run this in your terminal:

docker exec local_keycloak \
    /opt/jboss/keycloak/bin/ \
    -u admin \
    -p admin \
&& docker restart local_keycloak

Once this command finishes, you will see that the compose local_keycloak is going to restart. Give it a short moment and reload the Keycloak landing page.

Keycloak landing page with login

Click Administration Console link and sign in with admin as the username and admin as the password. Welcome to Keycloak.

Further reading

Keycloak source code can be found on GitHub.