Skip to content

openremote/keycloak

BranchesTags

Repository files navigation

Keycloak

Docker Image

Keycloak docker image built for postgres with:

  • Default env variable values to assume running behind a reverse proxy sending X-Forwarded-* headers (env variables can be changed see keycloak documentation)
  • Enables metrics and health endpoints by default
  • Adds custom functionality to allow token 'issuer' to be fixed by setting KEYCLOAK_ISSUER_BASE_URI (e.g. KEYCLOAK_ISSUER_BASE_URI: https://192.168.1.2/auth) this is to allow a private deployment to be accessed over a reverse tunnel, when using this you also need to set the following but precaution should be taken to validate the Host header in the reverse proxy:
    • KC_HOSTNAME:
    • KC_HOSTNAME_STRICT: false
  • OpenRemote theme embedded and set as default
  • Request path to /auth (like older versions of Keycloak to simplify usage behind a reverse proxy)
  • Listener to configure roles of self-registered users. Roles are set using KEYCLOAK_SELF_REGISTERED_USER_ROLES environment variable,
    the JSON structure is
{
  "realmRoles" : [ "restricted_user" ],
  "clientRoles" : [
    {
      "client": "openremote",
      "roles": [
        "read:assets",
        "write:attributes"
      ]
    }
  ]
}

When assigning to the environment variable, it must be enclosed in double-quotes, properly escaped.
This can be done e.g. by piping to jq -c | sed 's/"/\\"/g', which would result in "{\"realmRoles\":[\"restricted_user\"],\"clientRoles\":[{\"client\":\"openremote\",\"roles\":[\"read:assets\",\"write:attributes\"]}]}"
The listener is not enabled by default. In Keycloak, in the Realm settings - Events - Event listeners admin screen, self-register-user-configure should be added to the list.

Working on the OpenRemote theme

The openremote theme template files are located in src/main/resources/theme/openremote; to work on the OpenRemote theme use:

docker run --rm -p 8081:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=secret -e KEYCLOAK_DEFAULT_THEME=dev -e KC_HOSTNAME_PORT=8081 -e KEYCLOAK_START_COMMAND=start-dev -e KEYCLOAK_START_OPTS="--spi-theme-static-max-age=-1 --spi-theme-cache-themes=false --spi-theme-cache-templates=false" --mount type=bind,src=$PWD/src/main/resources/theme/openremote,dst=/deployment/keycloak/themes/dev openremote/keycloak:latest

Then access http://localhost:8081/ and any changes made to the template files can be reloaded in realtime by just refreshing the window.

To get the standard themes for reference use the following (replace ${VERSION} with actual keycloak version used):

docker cp ID:/opt/keycloak/lib/lib/main/org.keycloak.keycloak-themes-${VERSION}.jar ./

About

Keycloak docker image with openremote theme and env variables

Resources

Readme
Activity
Custom properties

Stars

4 stars

Watchers

8 watching

Forks

9 forks
Report repository

Releases 17

23.0.7.4 Latest
Jul 14, 2025
+ 16 releases

Packages

No packages published

Contributors 5

Languages