Keycloak
Overview
Keycloak digunakan sebagai Identity Provider untuk SSO dan JWT token management.
Configuration
Docker Compose
keycloak:
image: quay.io/keycloak/keycloak:26.0.7
container_name: keycloak
command:
- start-dev
- --import-realm
environment:
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: Admin123!
KC_HTTP_ENABLED: 'true'
KC_HEALTH_ENABLED: 'true'
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://10.8.0.48:5444/keycloak_db
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: KeycloakBjbs2026!
KC_HOSTNAME: '10.8.0.48'
ports:
- "8080:8080"
volumes:
- ./configs/keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json:ro
mem_limit: 1g
cpus: "1.00"
Realm Configuration
log-monitoring Realm
{
"realm": "log-monitoring",
"enabled": true,
"registrationAllowed": false,
"loginWithEmailAllowed": true,
"duplicateEmailsAllowed": false,
"resetPasswordAllowed": true,
"editUsernameAllowed": false,
"bruteForceProtected": true,
"permanentLockout": false,
"maxFailureWaitSeconds": 900,
"minimumQuickLoginWaitSeconds": 60,
"waitIncrementSeconds": 60
}
Client Configuration
backend-api Client
{
"clientId": "backend-api",
"name": "CLM Backend API",
"enabled": true,
"protocol": "openid-connect",
"publicClient": false,
"secret": "backend-api-secret",
"directAccessGrantsEnabled": true,
"standardFlowEnabled": false,
"serviceAccountsEnabled": true,
"redirectUris": [],
"webOrigins": []
}
User Configuration
Default Users
| Username | Password | Roles | |
|---|---|---|---|
| admin | Admin123! | admin@bjbsyariah.co.id | admin |
| operator1 | Oper@123! | operator1@bjbsyariah.co.id | it-ops |
| auditor1 | Audit@123! | auditor1@bjbsyariah.co.id | compliance |
| viewer1 | View@123! | viewer1@bjbsyariah.co.id | executive |
Realm Roles
| Role | Description |
|---|---|
| admin | Full system access |
| it-ops | IT Operations |
| security | Security team |
| compliance | Compliance team |
| executive | Executive management |
| network-infra | Network & Infrastructure |
| helpdesk | Help desk support |
Access
Web Console
http://localhost:8080
Admin Console
http://localhost:8080/admin
Credentials
| Username | Password |
|---|---|
| admin | Admin123! |
API
Token Endpoint
curl -X POST http://localhost:8080/realms/log-monitoring/protocol/openid-connect/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password" \
-d "client_id=backend-api" \
-d "client_secret=backend-api-secret" \
-d "username=admin" \
-d "password=Admin123!"
Response
{
"access_token": "eyJhbGciOiJSUzI1NiIs...",
"expires_in": 300,
"refresh_token": "...",
"token_type": "Bearer",
"scope": "openid profile email"
}
User Management
Create User
curl -X POST http://localhost:8080/admin/realms/log-monitoring/users \
-H "Authorization: Bearer <admin-token>" \
-H "Content-Type: application/json" \
-d '{
"username": "newuser",
"email": "newuser@bjbsyariah.co.id",
"enabled": true,
"emailVerified": true
}'
Assign Role
curl -X POST http://localhost:8080/admin/realms/log-monitoring/users/{user-id}/role-mappings/realm \
-H "Authorization: Bearer <admin-token>" \
-H "Content-Type: application/json" \
-d '[{"id": "role-id", "name": "it-ops"}]'
Troubleshooting
Check Logs
docker logs keycloak --tail 100
Reset Admin Password
docker exec keycloak /opt/keycloak/bin/kc.sh.sh \
config-credentials --server http://localhost:8080 \
--user admin --password Admin123!
Next Steps
- RBAC - Role-Based Access Control
- Authentication - Backend auth
- Audit Trail - Audit logging