DEV Community

Cover image for Deploy Keycloak Clients and Roles with Code
Andrew M
Andrew M

Posted on

Deploy Keycloak Clients and Roles with Code

We last discussed how to structure our Keycloak role organization within a microservice deployment context. This discussion provides the foundation for what we will discuss today: leveraging Infrastructure as Code (IAC) to deploy Keycloak clients and roles easily. The goal for this project is to easily add additional microservice integrations to Keycloak so that they can be set up with minimal configuration. The tool will come as a lightweight CLI that interacts with a Keycloak server deployment to perform the client and role creation. THe tool will also provide smart defaults so new users can take advantage of this service without a full understanding of each setting.

Proposed IaC Schema

Here is a link to the JSON schema
Here is a link to the schema documentation

The proposed schema for this tool breaks down the Keycloak client configuration into more manageable and modular segments to ease template creation. For example, in this simple example, the hierarchical nature of the template enables users to specify their client features more easily.


In order to run the kraxen CLI, you must have NPM installed.
Install the CLI tool, aka Kraxen, by cloning the kraxen repository and installing it globally:

git clone && cd kraxen
npm install -g .
Enter fullscreen mode Exit fullscreen mode

Firstly, a configuration file for kraxen (.kraxen) must be created in either a user's home directory, or the current working directory. The configuration file must specify three things: KEYCLOAK_HOST, KEYCLOAK_ADMIN_USERNAME, and KEYCLOAK_ADMIN_PASSWORD:

Enter fullscreen mode Exit fullscreen mode

These values can also be set via environment variables.

Next, the configuration file for the client must be created. These configuration files are YAML files that define attributes of a Keycloak client that kraxen will create. Kraxen is configured to set smart defaults for a decoupled application that implements OIDC authentication. The only required values are the clientId, protocol, realm settings. Most of the other settings are set as smart defaults and can be overridden via the YAML configuration file. See an example of a template here.

Lastly, we can run the kraxen CLI and watch our template create!

kraxen -t template-file.yaml -c kraxen-config
Enter fullscreen mode Exit fullscreen mode

The -c flag can be omitted if the .kraxen configuration is present in the user's home directory.

Final Notes

This initial executable is just a simple proof-of-concept model to demonstrate how Keycloak APIs can be leveraged to programmatically create clients and roles for use within an application. In the future, the CLI will scaffold out the template based on prompts that a user enters. It will also include sub-commands such as kraxen init to begin CLI setup, kraxen create to create a new set of Keycloak clients and roles, and kraxen sync to update the client configuration to match the current template. I hope to use the great example of elmsln's wcfactory tool to build a more robust CLI that can integrate even more features.

Lastly, I would like to shout out coveooss and their JSON Schema For Humans tool, which allowed me to produce markdown documentation for the Infrastructure as Code schema that I defined above. Kudos!

Top comments (0)