Keycloak OIDC Demo

This repository contains a Helm chart that deploys Keycloak as an OIDC provider for demonstrations.

Before you install anything, replace the placeholder values first.

Values you must update before use:

• keycloak.image.repository
• keycloak.adminPassword
• keycloak.hostname
• podSecurityContext.fsGroup
• keycloak.containerSecurityContext.runAsUser
• keycloak.containerSecurityContext.runAsGroup
• postgresql.password
• postgresql.containerSecurityContext.runAsUser
• postgresql.containerSecurityContext.runAsGroup
• keycloak.persistence.storageClassName
• postgresql.persistence.storageClassName
• realm.demoUser.password
• realm.demoClient.redirectUris
• realm.demoClient.webOrigins

The chart lives in keycloak-oidc-demo/ and includes:

• Keycloak 26.x
• PostgreSQL 16.x
• A demo realm import
• A demo OIDC client
• TOTP MFA enrollment enforced through Keycloak's CONFIGURE_TOTP required action
• Explicit container security contexts with dropped Linux capabilities
• Placeholder defaults for UID, GID, image repository, hostname, storage class, and credentials

Install

helm upgrade --install keycloak-demo ./keycloak-oidc-demo \
  --namespace keycloak-demo \
  --create-namespace

MFA behavior

The seeded demo user is required to complete OTP setup on first login. FreeOTP works by scanning the QR code presented by Keycloak during the Configure OTP step.