Skip to content


Configure Keycloak

This guide will cover how to configure Keycloak as an identity provider for OpenFaaS IAM.

  1. Create a new client in your Keycloak realm with Client Type OpenID Connect.

    Keycloak client general settings

  2. Enable the Standard Flow (Authorization Code Flow) for the client.

    Keycloak client authentication flow settings

  3. Add the callback URLs for the CLI and dashboard to the list of valid redirect URIs.

    Add for the CLI. If you are deploying the OpenFaaS dashboard, add the redirect URI for your dashboard e.g

    Keycloak client allowed redirect url settings

  4. Register your Keycloak provider with OpenFaaS

    Register your Keycloak client as a trusted issuer for OpenFaaS IAM creating a JwtIssuer object in the OpenFaaS namespace.

    Example issuer for a Keycloak provider:

    kind: JwtIssuer
      namespace: openfaas
        - openfaas
      tokenExpiry: 12h

    Set the iss to the URL of your Keycloak provider.

    The aud field needs to contain a set of accepted audiences. For Keycloak this is the client id that was selected in the first step.

    The tokenExpiry field can be used to set the expiry time of the OpenFaaS access token.