Introducing Keycloak for Identity and Access Management

Lately, I’ve been working with Keycloak, so I decided to better delve into it and write about it.

This article is the first of a series where I’d like to introduce Keycloak as a solution to manage authentication and authorisation, how to install it and which are the fundamental concepts and configurations.

Then I’d like to explain how to use it to secure Spring Boot, Spring Security and AngularJS applications and services, analyse the implementation when using a relational database to store users and finally how to manage users from Java thanks to the Admin REST API.

A preview of the Keycloak official website
Keycloak Website – Open Source Identity and Access Management

What is Keycloak?

Keycloak is an open source project developed and maintained by the RedHat Community.

“Keycloak is an open source Identity and Access Management solution aimed at modern applications and services. It makes it easy to secure applications and services with little to no code.”

It offers a broad set of features; I suggest you check the official documentation to get all the details.

Throughout this series I’ll explore the following features:

  • Admin Console to configure the Keycloak server and create realms, roles, users and clients;
  • Single Sign-On (SSO) using the Open ID Connect (OIDC) authentication and authorisation protocol;
  • Client Adapters to integrate Spring Boot, Spring Security and AngularJS with Keycloak;
  • Admin REST API for user management.

Installing and Booting Keycloak

After a quick introduction to this series of posts and Keycloak, let’s see how to install and boot Keycloak.

You can download the Keycloak Server from the official website. I’m using the latest release of the standalone server distribution, which is the 3.3.0 version at the moment of the writing.

Keycloak download page
Keycloak Downloads Page

Extract the folder from the zip (or tar) archive: it contains all you need to run the Keycloak server.

From the bin/ directory of your Keycloak distribution, you can boot the Keycloak server by running either the script (macOS and Linux) or the standalone.bat file (Windows). The Keycloak server will be reachable on your host 8080 port by default, but you can define a custom port by setting the optional jboss.socket.binding.port-offset property to a value that the script will add to the default port.

If you are on macOS or Linux, open a Terminal prompt and run the following command:

bin/ -Djboss.socket.binding.port-offset=100

If you are on Windows, you can boot Keycloak by running the following command on your Command Prompt terminal:

 bin/standalone.bat -Djboss.socket.binding.port-offset=100

In this example, the URL of the Keycloak server will be http://localhost:8180.

First Access to Keycloak

When you access the Keycloak server for the first time at http://localhost:8180/auth, it will show you a screen where you can create an admin account.

You need to have an admin account to log into the Admin Console and start creating realms, roles, users and clients.

Keycloak form to create admin account
Keycloak Welcome Page

After creating an admin account, click the Administration Console link to go to http://localhost:8180/auth/admin and log into the Keycloak console with the username and password that you have just chosen.

The login form of Keycloak
Keycloak Login Page

You have finally got access to the Keycloak Admin Console, good job!

The administration console of Keycloak server
Keycloak Admin Console


In this article, I introduced Keycloak and the new series of posts about it. I briefly explained what it is and which are the main features that I’ll be using throughout this series. Then, I downloaded the Keycloak server, installed and booted it. Finally, I created an admin user and got access to the Admin Console.

In the next post, I’ll go through a basic configuration of Keycloak for authentication and authorisation.

Keycloak Series

4 Replies to “Introducing Keycloak for Identity and Access Management”

Leave a Reply

Your email address will not be published. Required fields are marked *