Keycloak

KalamDB no longer has Keycloak-specific auth configuration. Keycloak now fits the same single-provider OIDC model as Dex, Okta, Auth0, Entra ID, Google, and other standards-compliant issuers.

Use the generic OIDC docs and set the issuer to your Keycloak realm URL.

Example server.toml

1[auth]2jwt_trusted_issuers = "kalamdb,https://keycloak.example.com/realms/myrealm"3 4[auth.oidc]5enabled = true6display_name = "Keycloak"7issuer = "https://keycloak.example.com/realms/myrealm"8client_id = "kalamdb"9scopes = ["openid", "email", "profile"]10auto_provision = true11default_role = "user"

The issuer URL must exactly match the iss claim in Keycloak tokens.

What Changed

Current external identities use the OIDC sub claim directly as the KalamDB user_id.

If you need explicit persisted users or elevated roles, create them with issuer and subject:

1CREATE USER 'provider-subject'2  WITH OIDC '{"issuer":"https://keycloak.example.com/realms/myrealm","subject":"provider-subject"}'3  ROLE dba4  EMAIL 'alice@example.com';

Related

• OIDC & Issuer Trust
• Authentication & Bootstrap
• OIDC Model