Skip to main content

Keycloak

docker run --rm -it \
-p 8080:8080 \
-e KEYCLOAK_ADMIN=admin \
-e KEYCLOAK_ADMIN_PASSWORD=admin \
quay.io/keycloak/keycloak:19.0.1 start-dev

| env | default | | --------------------------- | -------- | ---------------------------------------- | | KC_DB | dev-file | | KC_DB_URL | | KC_DB_USERNAME | | KC_DB_PASSWORD | | KC_FEATURES | | KC_FEATURES_DISABLED | | KC_HOSTNAME | | KC_HEALTH_ENABLED | false | | KC_METRICS_ENABLED | false | | KC_HTTPS_KEY_STORE_PASSWORD | password | | KC_HTTPS_KEY_STORE_FILE | | KC_HOSTNAME_ADMIN | | KC_HTTP_ENABLED | false | 0.0.0.0:8080 | | KC_HTTP_PORT | 8080 | | KC_HTTP_RELATIVE_PATH | / | | KC_HTTPS_PORT | 8443 | | KC_HTTPS_PROTOCOLS | TLSv1.3 | | KC_PROXY | none | none, edge, reencrypt, passthrough | | KC_VAULT | | file, hashicorp | | KC_VAULT_DIR | | KC_LOG_LEVEL | info | | KC_CACHE | | ispn | | KC_CACHE_STACK | udp | tcp, udp, kubernetes, ec2, azure, google | | KC_CACHE_CONFIG_FILE | | cache-ispn.xml |

bin/kc.sh start-dev

# 可在 build 镜像时执行 - 大概几秒 - start 和 start-dev 都会执行
bin/kc.sh build

# --optimized 告诉 kc 已经 build
# 要求所有配置相同
# 默认情况会先 build
bin/kc.sh start --optimized
  • KC_DB_URL_HOST -> --db-url-host -> db-url-host
    • 环境变量 - flag - 配置项
  • 配置文件同 flag 无 -- - --config-file,-cf
    • conf/keycloak.conf
    • 配置可引用环境变量 db-url-host=${MY_DB_HOST:mydb}
  • KC_METRICS_ENABLED
    • /health
    • /health/ready
    • /health/live
  • KC_METRICS_ENABLED
    • /metrics
  • KC_FEATURES - authorization, account2, account-api, admin-fine-grained-authz, admin2, docker, impersonation, openshift-integration, scripts, token-exchange, web-authn, client-policies, ciba, map-storage, par, declarative-user-profile, dynamic-scopes, client-secret-rotation, step-up-authentication, recovery-codes, update-email, preview
  • KC_DB - dev-file, dev-mem, mariadb, mssql, mysql, oracle, postgres
featurenote
account-apiAccount Management REST API
account2New Account Management Console
admin2New Admin Console
authorizationAuthorization Service
cibaOpenID Connect Client Initiated Backchannel Authentication (CIBA)
client-policiesClient configuration policies
impersonationAbility for admins to impersonate users
parOAuth 2.0 Pushed Authorization Requests (PAR)
step-up-authenticationStep-up Authentication
web-authnW3C Web Authentication (WebAuthn)
dockerDocker Registry protocol
  • 默认关闭
    • docker
previewnote
admin-fine-grained-authzFine-Grained Admin Permissions
client-secret-rotationClient Secret Rotation
declarative-user-profileConfigure user profiles using a declarative style
openshift-integrationExtension to enable securing OpenShift
recovery-codesRecovery codes
scriptsWrite custom authenticators using JavaScript
token-exchangeToken Exchange Service
update-emailUpdate Email Action
dynamic-scopes
map-storage