Keycloak OAuth
Use Keycloak or any OIDC-compatible provider for authentication
Keycloak is an open-source identity and access management solution that provides single sign-on (SSO) capabilities. Storyden's Keycloak integration uses OpenID Connect (OIDC) discovery, which means it also works with other OIDC-compatible identity providers.
Configuration
Set these environment variables to enable Keycloak OAuth:
JWT_SECRET=your-random-secret-here
OAUTH_KEYCLOAK_ENABLED=true
OAUTH_KEYCLOAK_CLIENT_ID=your-client-id
OAUTH_KEYCLOAK_CLIENT_SECRET=your-client-secret
OAUTH_KEYCLOAK_ISSUER_URL=https://auth.example.com/realms/YourRealmSetting Up Keycloak
Create an OpenID Connect client in your Keycloak realm with:
- Client authentication: Enabled
- Standard flow: Enabled
- Valid redirect URI:
https://your-domain.com/auth/oauth_keycloak/callback
The issuer URL format is https://<keycloak-domain>/realms/<realm-name>.
OIDC Discovery
Storyden uses OIDC discovery to automatically configure endpoints from {issuer}/.well-known/openid-configuration. This means it works with any OIDC-compatible provider that supports discovery.
Using with Other OIDC Providers
Since Storyden uses standard OIDC discovery, you can use this integration with other identity providers that support OIDC:
Authentik
OAUTH_KEYCLOAK_ISSUER_URL=https://auth.example.com/application/o/your-app/Auth0
OAUTH_KEYCLOAK_ISSUER_URL=https://your-tenant.auth0.com/Okta
OAUTH_KEYCLOAK_ISSUER_URL=https://your-domain.okta.com/oauth2/defaultAzure AD / Microsoft Entra ID
OAUTH_KEYCLOAK_ISSUER_URL=https://login.microsoftonline.com/{tenant-id}/v2.0Local Development
For local development, use http://localhost:3000 as the redirect URI in your Keycloak client and set PUBLIC_WEB_ADDRESS=http://localhost:3000.