Keycloak is installed on It is in a prototype phase for use with the Zuul admin API, and may be used by other OpenDev services in the future.

At a Glance



Apache is configured as a reverse proxy to [::1]:8080 and there is also a separate MariaDB database listening on [::1]:3306.


We currently have a “zuul” realm configured, and all user accounts within this realm get administrative access to the WebUI for The configuration basically follows upstream Zuul’s Configuring Keycloak Authentication document, but we extend the configuration by adding an infra-root group and a zuul-dedicated client scope within the zuul client with a group token mapper whose Token Claim Name is groups. The group mapping allows us to delegate administrative rights globally and on a per-tenant basis with admin-rule entries at the top of our main.yaml file.

Sysadmins should follow the :ref:zuul-admins instructions for adding their accounts to the zuul realm, if such access is desired.