**Purpose**: Keycloak is an open source identity and access management systen for modern applications and services. 

- [Original Reference Compose File](https://github.com/JamesTurland/JimsGarage/blob/main/Keycloak/docker-compose.yaml)
- [Original Reference Deployment Video](https://www.youtube.com/watch?v=6ye4lP9EA2Y)


## Docker Configuration

=== "docker-compose.yml"

    ``` yaml
    version: '3.7'

    services:
      postgres:
        image: postgres:16.2
        volumes:
          - /srv/containers/keycloak/db:/var/lib/postgresql/data
        environment:
          POSTGRES_DB: ${POSTGRES_DB}
          POSTGRES_USER: ${POSTGRES_USER}
          POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
        networks:
          docker_network:
            ipv4_address: 192.168.5.3

      keycloak:
        image: quay.io/keycloak/keycloak:23.0.6
        command: start
        environment:
          TZ: America/Denver # (1)
          KC_PROXY_ADDRESS_FORWARDING: true # (2)
          KC_HOSTNAME_STRICT: false
          KC_HOSTNAME: auth.bunny-lab.io # (3)
          KC_PROXY: edge # (4)
          KC_HTTP_ENABLED: true
          KC_DB: postgres
    #      KC_DB_URL: jdbc:postgresql://postgres/${POSTGRES_DB} # (5)
          KC_DB_USERNAME: ${POSTGRES_USER}
          KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
          KC_DB_URL_HOST: postgres
          KC_DB_URL_PORT: 5432
          KC_DB_URL_DATABASE: ${POSTGRES_DB}
          KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
          KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
    #      KC_HOSTNAME_DEBUG: true # (6)
          KC_HEALTH_ENABLED: true
        ports:
          - 8080:8080
        restart: always
        depends_on:
          - postgres
        networks:
          docker_network:
            ipv4_address: 192.168.5.2

    networks:
      default:
        external:
          name: docker_network
      docker_network:
        external: true

    ```
    
    1.  This sets the timezone of the Keycloak server to your timezone.  This is not really necessary according to the official documentation, however I just like to add it to all of my containers as a baseline environment variable to add
    2.  This assumes you are running Keycloak behind a reverse proxy, in my particular case, Traefik
    3.  Set this to the FQDN that you are expecting to reach the Keycloak server at behind your reverse proxy
    4.  This assumes you are running Keycloak behind a reverse proxy, in my particular case, Traefik
    5.  Official documentation says to use this, but its not really necessary.  In this particular deployment method, we will just specify the parameters manually seen in the next few variables below this one
    6.  If this is enabled, Navigate to https://auth.bunny-lab.io/realms/master/hostname-debug to troubleshoot issues with the deployment if you experience any issues logging into the web portal or admin UI

=== ".env"

    ``` yaml
    POSTGRES_DB=keycloak
    POSTGRES_USER=keycloak
    POSTGRES_PASSWORD=SomethingSecure # (1)
    KEYCLOAK_ADMIN=admin
    KEYCLOAK_ADMIN_PASSWORD=SomethingSuperSecureToLoginAsAdmin # (2)
    ```
    
    1.  This is used internally by Keycloak to interact with the PostgreSQL database server
    2.  This is used to log into the web admin portal at https://auth.bunny-lab.io

## Traefik Reverse Proxy Configuration
If the container does not run on the same host as Traefik, you will need to manually add configuration to Traefik's dynamic config file, outlined below.
``` yaml
http:
  routers:
    auth:
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
      service: auth
      rule: Host(`auth.bunny-lab.io`)
      middlewares:
        - auth-headers

  services:
    auth:
      loadBalancer:
        servers:
          - url: http://192.168.5.2:8080
        passHostHeader: true

  middlewares:
    auth-headers:
      headers:
        sslRedirect: true
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        customRequestHeaders:
          X-Forwarded-Proto: https
          X-Forwarded-Port: "443"
```

# Traefik Keycloak Middleware
At this point, we need to add the official Keycloak plugin to Traefik's main configuration.  In this example, it will be assumed you need to configure this in Portainer/Docker Compose, and not via a static yml/toml file.  Assume you follow the [Docker Compose based Traefik Deployment](https://docs.bunny-lab.io/Docker%20%2526%20Kubernetes/Docker/Docker%20Compose/Traefik/).

## Install Keycloak Plugin
If you do not already have the following added to the end of your `command:` section of the docker-compose.yml file in Portainer, go ahead and add it:
``` yml
      # Keycloak plugin configuration
      - "--experimental.plugins.keycloakopenid.moduleName=github.com/Gwojda/keycloakopenid"
      - "--experimental.plugins.keycloakopenid.version=v0.1.34"
```

## Add Middleware to Traefik Dynamic Configuration
You will want to ensure the following exists in the dynamically-loaded config file folder, you can name the file whatever you want, but it will be a one-all middleware for any services you want to have communicating as a specific OAuth2 `Client ID`.  For example, you might want to have some services exist in a particular realm of Keycloak, or to have different client rules apply to certain services.  If this is the case, you can create multiple middlewares in this single yaml file, each handling a different service / realm.