Keycloak · Authenticationadvanced
Keycloak Realm Export
A trimmed Keycloak realm export with a client, token lifetimes and password policy — the shape you import to bootstrap a realm.
keycloakoidcssoauthenticationrealm
Preview
{
"realm": "example",
"enabled": true,
"sslRequired": "external",
"accessTokenLifespan": 300,
"ssoSessionIdleTimeout": 1800,
"passwordPolicy": "length(12) and upperCase(1) and digits(1)",
"clients": [
{
"clientId": "web-app",
"enabled": true,
"publicClient": false,
"standardFlowEnabled": true,
"directAccessGrantsEnabled": false,
"redirectUris": [
"https://app.example.com/*"
],
"webOrigins": [
"https://app.example.com"
],
"protocol": "openid-connect"
}
],
"roles": {
"realm": [
{
"name": "user"
},
{
"name": "admin"
}
]
}
}AI actions
Documentation
Purpose
Define a Keycloak realm — its clients, token settings and policies — as an importable JSON export.
When to use
Bootstrapping a realm via `kc.sh import`, or version-controlling realm configuration.
Required fields
- realm — the realm name
- enabled — whether the realm is active
- clients — the applications registered in the realm
Optional fields
- accessTokenLifespan / ssoSessionIdleTimeout — token/session timing
- passwordPolicy — enforced password rules
- roles — realm and client roles
Best practices
- Keep publicClient=false + a confidential secret for server apps.
- Set standardFlowEnabled (auth code) and disable implicit/direct grant.
- Enforce a strong passwordPolicy.
Security considerations
- Never commit real client secrets — export with secrets scrubbed.
- Restrict redirectUris to exact URLs.
- Keep access token lifespans short; rely on refresh tokens.