Keycloak · Authenticationadvanced

Keycloak Realm Export

A trimmed Keycloak realm export with a client, token lifetimes and password policy — the shape you import to bootstrap a realm.

keycloakoidcssoauthenticationrealm

Preview

{
  "realm": "example",
  "enabled": true,
  "sslRequired": "external",
  "accessTokenLifespan": 300,
  "ssoSessionIdleTimeout": 1800,
  "passwordPolicy": "length(12) and upperCase(1) and digits(1)",
  "clients": [
    {
      "clientId": "web-app",
      "enabled": true,
      "publicClient": false,
      "standardFlowEnabled": true,
      "directAccessGrantsEnabled": false,
      "redirectUris": [
        "https://app.example.com/*"
      ],
      "webOrigins": [
        "https://app.example.com"
      ],
      "protocol": "openid-connect"
    }
  ],
  "roles": {
    "realm": [
      {
        "name": "user"
      },
      {
        "name": "admin"
      }
    ]
  }
}

AI actions

Documentation

Purpose

Define a Keycloak realm — its clients, token settings and policies — as an importable JSON export.

When to use

Bootstrapping a realm via `kc.sh import`, or version-controlling realm configuration.

Required fields

  • realm — the realm name
  • enabled — whether the realm is active
  • clients — the applications registered in the realm

Optional fields

  • accessTokenLifespan / ssoSessionIdleTimeout — token/session timing
  • passwordPolicy — enforced password rules
  • roles — realm and client roles

Best practices

  • Keep publicClient=false + a confidential secret for server apps.
  • Set standardFlowEnabled (auth code) and disable implicit/direct grant.
  • Enforce a strong passwordPolicy.

Security considerations

  • Never commit real client secrets — export with secrets scrubbed.
  • Restrict redirectUris to exact URLs.
  • Keep access token lifespans short; rely on refresh tokens.