Keycloak
Keycloak is the Identity and Access Management (IAM) system for AgentStack. It handles user authentication, OAuth2/OIDC flows, and token issuance.
Details
| Field | Value |
|---|---|
| Admin URL | https://keycloak.icydesert-76825898.southindia.azurecontainerapps.io/admin |
| OIDC Discovery | <base-url>/realms/<realm>/.well-known/openid-configuration |
| Azure name | keycloak |
| Resource group | testing |
| Environment | cerebro-auth-env (South India) |
| Image | ca45076245feacr.azurecr.io/keycloak:26.0-agentstack-1b7240f |
| Port | 8080 |
| Version | 26.0 (custom AgentStack build) |
Database
Keycloak stores all user and realm data in PostgreSQL:
- Server:
cerebro-authstack-pg - Database:
keycloak
How to Access the Admin Console
- Go to: https://keycloak.icydesert-76825898.southindia.azurecontainerapps.io/admin
- Log in with the admin credentials stored in Key Vault →
cerebro-auth-kv-62be6d5f- Secret name:
keycloak-admin-password(or similar — check Key Vault)
- Secret name:
Common Admin Tasks
Create a new realm
Admin Console → left menu → dropdown → Create Realm
Create a client (OAuth2 app)
Admin Console → Realm → Clients → Create client
- Client type:
OpenID Connect - Client ID: name of your app
- Authentication: Standard flow + Client credentials
Add a user
Admin Console → Realm → Users → Add user
Get realm OIDC config
curl https://keycloak.icydesert-76825898.southindia.azurecontainerapps.io/realms/master/.well-known/openid-configuration
How to Update the Image
The image is a custom build. To update:
# From the Keycloak source directory
az acr build \
--registry ca45076245feacr \
--resource-group testing \
--image keycloak:26.0-agentstack-<new-tag> \
.
az containerapp update \
--name keycloak \
--resource-group testing \
--image ca45076245feacr.azurecr.io/keycloak:26.0-agentstack-<new-tag>
View Logs
az containerapp logs show \
--name keycloak \
--resource-group testing \
--tail 100
warning
Never delete the master realm or admin user in production. This will lock you out permanently.