Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 4. Enabling and configuring the Keycloak plugin

The Keycloak backend plugin, which integrates Keycloak into Developer Hub, has the following capabilities:

  • Synchronization of Keycloak users in a realm.
  • Synchronization of Keycloak groups and their users in a realm.
Note

The supported Red Hat Build of Keycloak (RHBK) version is 26.0.

4.1. Enabling the Keycloak plugin
Copy link

Prerequisites

  • To enable the Keycloak plugin, you must set the following environment variables:

    • KEYCLOAK_BASE_URL
    • KEYCLOAK_LOGIN_REALM
    • KEYCLOAK_REALM
    • KEYCLOAK_CLIENT_ID
    • KEYCLOAK_CLIENT_SECRET

Procedure

  1. The Keycloak plugin is pre-loaded in Developer Hub with basic configuration properties. To enable it, set the disabled property to false as follows: 

    global:
  dynamic:
    includes:
      - dynamic-plugins.default.yaml
    plugins:
      - package: ./dynamic-plugins/dist/backstage-community-plugin-catalog-backend-module-keycloak-dynamic
        disabled: false
    Copy to Clipboard Toggle word wrap

4.2. Configuring the Keycloak plugin
Copy link

Procedure

  1. To configure the Keycloak plugin, add the following in your app-config.yaml file:

    schedule

    Configure the schedule frequency, timeout, and initial delay. The fields support cron, ISO duration, "human duration" as used in code. 

         catalog:
       providers:
         keycloakOrg:
           default:
             schedule:
               frequency: { minutes: 1 }
               timeout: { minutes: 1 }
               initialDelay: { seconds: 15 }
    Copy to Clipboard Toggle word wrap
    userQuerySize and groupQuerySize

    Optionally, configure the Keycloak query parameters to define the number of users and groups to query at a time. Default values are 100 for both fields. 

       catalog:
     providers:
       keycloakOrg:
         default:
           userQuerySize: 100
           groupQuerySize: 100
    Copy to Clipboard Toggle word wrap
    Authentication

    Communication between Developer Hub and Keycloak is enabled by using the Keycloak API. Username and password, or client credentials are supported authentication methods.

    The following table describes the parameters that you can configure to enable the plugin under catalog.providers.keycloakOrg.<ENVIRONMENT_NAME> object in the app-config.yaml file:

    Expand
    NameDescriptionDefault ValueRequired

    baseUrl

    Location of the Keycloak server, such as https://localhost:8443/auth.

    ""

    Yes

    realm

    Realm to synchronize

    master

    No

    loginRealm

    Realm used to authenticate

    master

    No

    username

    Username to authenticate

    ""

    Yes if using password based authentication

    password

    Password to authenticate

    ""

    Yes if using password based authentication

    clientId

    Client ID to authenticate

    ""

    Yes if using client credentials based authentication

    clientSecret

    Client Secret to authenticate

    ""

    Yes if using client credentials based authentication

    userQuerySize

    Number of users to query at a time

    100

    No

    groupQuerySize

    Number of groups to query at a time

    100

    No

  2. When using client credentials

    1. Set the access type to confidential.
    2. Enable service accounts.

    3. Add the following roles from the realm-management client role:

      • query-groups
      • query-users
      • view-users

  3. Optionally, if you have self-signed or corporate certificate issues, you can set the following environment variable before starting Developer Hub: 

    NODE_TLS_REJECT_UNAUTHORIZED=0
    Copy to Clipboard Toggle word wrap
    Warning

    Setting the environment variable is not recommended.

4.3. Keycloack plugin metrics
Copy link

The Keycloak backend plugin supports OpenTelemetry metrics that you can use to monitor fetch operations and diagnose potential issues.

4.3.1. Available Counters
Copy link

Expand
Table 4.1. Keycloak metrics
Metric NameDescription

backend_keycloak_fetch_task_failure_count_total

Counts fetch task failures where no data was returned due to an error.

backend_keycloak_fetch_data_batch_failure_count_total

Counts partial data batch failures. Even if some batches fail, the plugin continues fetching others.

4.3.2. Labels
Copy link

All counters include the taskInstanceId label, which uniquely identifies each scheduled fetch task. You can use this label to trace failures back to individual task executions.

Users can enter queries in the Prometheus UI or Grafana to explore and manipulate metric data.

In the following examples, a Prometheus Query Language (PromQL) expression returns the number of backend failures.

Example to get the number of backend failures associated with a taskInstanceId

backend_keycloak_fetch_data_batch_failure_count_total{taskInstanceId="df040f82-2e80-44bd-83b0-06a984ca05ba"} 1
Copy to Clipboard Toggle word wrap

Example to get the number of backend failures during the last hour

sum(backend_keycloak_fetch_data_batch_failure_count_total) - sum(backend_keycloak_fetch_data_batch_failure_count_total offset 1h)
Copy to Clipboard Toggle word wrap

Note

PromQL supports arithmetic operations, comparison operators, logical/set operations, aggregation, and various functions. Users can combine these features to analyze time-series data effectively.

Additionally, the results can be visualized using Grafana.

4.3.3. Exporting Metrics
Copy link

You can export metrics using any OpenTelemetry-compatible backend, such as Prometheus.

Additional resources

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat