markus41/keycloak
.claude/skills/keycloak/SKILL.md
Keycloak identity and access management including realms, clients, authentication flows, themes, and user federation. Activate for OAuth2, OIDC, SAML, SSO, identity providers, and authentication configuration.
$ install --global
skillsauthnpx skillsauth add markus41/claude keycloakInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 7, 2026, 2:12 AM18.8s1 file scanned
SKILL.md
- name:
- keycloak
- description:
- Keycloak identity and access management including realms, clients, authentication flows, themes, and user federation. Activate for OAuth2, OIDC, SAML, SSO, identity providers, and authentication configuration.
Keycloak Skill
Provides comprehensive Keycloak identity and access management capabilities for the Alpha Members Platform.
When to Use This Skill
Activate this skill when working with:
- Keycloak realm configuration
- Client setup and management
- Authentication flows (MFA, OTP, WebAuthn)
- User federation (LDAP, Active Directory)
- Identity providers (SAML, OIDC, social login)
- Theme customization
- Role-based access control
Quick Reference
Common Commands
# Start Keycloak in dev mode
docker-compose up keycloak keycloak-db -d
# Export realm configuration
docker exec keycloak /opt/keycloak/bin/kc.sh export \
--realm alpha-members \
--dir /tmp/export \
--users realm_file
# Import realm
docker exec keycloak /opt/keycloak/bin/kc.sh import \
--dir /opt/keycloak/data/import
# Get admin token
curl -X POST "http://localhost:8080/realms/master/protocol/openid-connect/token" \
-d "client_id=admin-cli" \
-d "username=admin" \
-d "password=admin" \
-d "grant_type=password"
# Health check
curl http://localhost:8080/health/ready
Admin REST API
# Base URL
KEYCLOAK_URL="http://localhost:8080"
REALM="alpha-members"
# List users
curl -H "Authorization: Bearer $TOKEN" \
"$KEYCLOAK_URL/admin/realms/$REALM/users"
# Create client
curl -X POST -H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
"$KEYCLOAK_URL/admin/realms/$REALM/clients" \
-d '{"clientId": "new-client", "enabled": true}'
# Get realm roles
curl -H "Authorization: Bearer $TOKEN" \
"$KEYCLOAK_URL/admin/realms/$REALM/roles"
Realm Configuration
alpha-members Realm
{
"realm": "alpha-members",
"enabled": true,
"sslRequired": "external",
"registrationAllowed": true,
"registrationEmailAsUsername": true,
"verifyEmail": true,
"bruteForceProtected": true,
"failureFactor": 5,
"maxFailureWaitSeconds": 900
}
Default Roles
- admin - Full administrative access
- member - Standard member access
- guest - Limited guest access
Client Roles (member-api)
- members:read
- members:write
- members:delete
- members:admin
Authentication Flows
Browser Flow (Default)
- Cookie (ALTERNATIVE)
- Identity Provider Redirector (ALTERNATIVE)
- Forms:
- Username/Password (REQUIRED)
- Conditional OTP (CONDITIONAL)
Custom MFA Flow
alpha-mfa-flow:
- Username Password Form (REQUIRED)
- Conditional OTP:
- Condition: User Role (admin)
- OTP Form (REQUIRED)
Client Configuration
member-api (Backend Service)
{
"clientId": "member-api",
"enabled": true,
"clientAuthenticatorType": "client-secret",
"serviceAccountsEnabled": true,
"directAccessGrantsEnabled": true,
"publicClient": false,
"protocol": "openid-connect"
}
member-ui (Frontend SPA)
{
"clientId": "member-ui",
"enabled": true,
"publicClient": true,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"redirectUris": ["http://localhost:3000/*"],
"webOrigins": ["+"],
"protocol": "openid-connect",
"attributes": {
"pkce.code.challenge.method": "S256"
}
}
Token Configuration
Access Token Lifespan: 1 hour (3600s)
Implicit Flow Lifespan: 15 minutes (900s)
SSO Session Idle: 30 minutes (1800s)
SSO Session Max: 10 hours (36000s)
Offline Session Idle: 30 days (2592000s)
OIDC Endpoints
Authorization: /realms/alpha-members/protocol/openid-connect/auth
Token: /realms/alpha-members/protocol/openid-connect/token
UserInfo: /realms/alpha-members/protocol/openid-connect/userinfo
Logout: /realms/alpha-members/protocol/openid-connect/logout
JWKS: /realms/alpha-members/protocol/openid-connect/certs
Discovery: /realms/alpha-members/.well-known/openid-configuration
Theme Customization
Theme Structure
keycloak/themes/alpha/
├── theme.properties
├── login/
│ ├── theme.properties
│ ├── resources/css/login.css
│ └── messages/messages_en.properties
├── account/
└── email/
Theme Properties
parent=keycloak
import=common/keycloak
styles=css/login.css
locales=en
User Federation
LDAP Configuration
Vendor: Active Directory
Connection URL: ldaps://ldap.corporate.com:636
Users DN: OU=Users,DC=corporate,DC=com
Username Attribute: sAMAccountName
Edit Mode: READ_ONLY
Sync Mode: IMPORT
Security Best Practices
- Enable brute force protection
- Require email verification
- Use SSL/TLS in production (sslRequired: all)
- Configure proper token lifetimes
- Enable audit logging
- Use PKCE for public clients
- Implement MFA for admin roles
Project Files
- Realm Config:
keycloak/realm-config/alpha-realm.json - Docker:
docker/docker-compose.yml(keycloak service) - Themes:
keycloak/themes/alpha/
Related Agents
- keycloak-realm-admin - Realm and client management
- keycloak-theme-developer - Theme customization
- keycloak-identity-specialist - Federation and SSO
- keycloak-auth-flow-designer - Authentication flows
- keycloak-security-auditor - Security review
Troubleshooting
# Check Keycloak logs
docker logs keycloak -f --tail=100
# Test OIDC configuration
curl http://localhost:8080/realms/alpha-members/.well-known/openid-configuration
# Validate token
curl -X POST "http://localhost:8080/realms/alpha-members/protocol/openid-connect/token/introspect" \
-d "client_id=member-api" \
-d "client_secret=$CLIENT_SECRET" \
-d "token=$ACCESS_TOKEN"
Related Skills
markus41/writing-plans-enhanced
development
VerifiedTrustedCommunity
Enhanced plan-authoring skill with Pre-Writing context gathering, task metadata, non-TDD templates, Red Flags, telemetry, and an automated plan linter. Use when you have a spec or requirements for a multi-step task, before touching code.
13SKILL.mdUpdated Apr 25, 2026
markus41/plugins/scrapin-aint-easy
tools
VerifiedTrustedCommunity
Documentation intelligence engine with graph-based API docs, algorithm library, and drift detection
13SKILL.mdUpdated Apr 17, 2026
markus41/ultraplan
tools
VerifiedTrustedCommunity
Ultraplan cloud planning — kick off a plan in the cloud from your terminal, review and revise in the browser, then execute remotely or send back to CLI
13SKILL.mdUpdated Apr 17, 2026
markus41/plugins/claude-code-expert/skills/mcp
tools
VerifiedTrustedCommunity
--- name: mcp description: Configure MCP servers for Claude Code — stdio vs HTTP, authentication, Tools/Resources/Prompts distinction, channels (CI webhook, mobile relay, Discord bridge, fakechat), and cost of always-loaded tools. Use this skill whenever adding an MCP server, debugging connection issues, choosing between MCP Tools vs Prompts vs Resources, installing channel servers, or managing .mcp.json. Triggers on: "MCP server", "mcp config", "add Obsidian MCP", "install context7", "channels"
13SKILL.mdUpdated Apr 17, 2026