## Keycloak

### Prerequisites

- Keycloak server deployed and accessible
- Admin access to Keycloak realm


### Configuration Steps

#### Step 1: Access Keycloak Admin Console

1. Navigate to Keycloak Admin Console: `https://[KEYCLOAK-URL]/admin`
2. Login with admin credentials
3. Select your realm from the dropdown (top-left)


#### Step 2: Select or Create Client

1. Click **Clients** in the left sidebar
2. **If you have an existing client**: Click on it to open settings, then skip to Step 5
  - **If creating new**: Click **Create client** button


#### Step 3: Configure Client General Settings (New Clients Only)

1. In **General Settings**:
  - **Client type**: `OpenID Connect`
  - **Client ID**: Enter `frontegg-agentlink`
2. Click **Next**


#### Step 4: Configure Client Capability (New Clients Only)

1. In **Capability config** step:
  - **Client authentication**: Toggle `ON`
  - **Authorization**: Toggle `OFF` (unless needed)
  - **Authentication flow**: Enable:
    - Standard flow
    - Direct access grants
2. Click **Next**


#### Step 5: Configure Login Settings

1. **For new clients**: In **Login settings** step, configure:
  - **For existing clients**: Navigate to **Settings** tab, locate **Access settings** section:
  - **Valid redirect URIs**: Add (or append to existing):

```
https://[YOUR-FRONTEGG-DOMAIN]/oauth/callback
```
  - **Valid post logout redirect URIs**: (optional)

```
https://[YOUR-FRONTEGG-DOMAIN]/*
```
  - **Web origins**: Add:

```
https://[YOUR-FRONTEGG-DOMAIN]
```
2. Click **Save**


#### Step 6: Obtain Credentials

1. In client details page, navigate to **Credentials** tab
2. Copy **Client secret** value
3. Navigate to **Settings** tab to confirm your **Client ID** (e.g., `frontegg-agentlink`)
4. Construct your issuer URL:

```
https://[KEYCLOAK-URL]/realms/[REALM-NAME]
```


#### Step 7: Configure Client Scopes (Optional but Recommended)

1. Navigate to **Client scopes** tab in client details
2. Ensure these scopes are assigned:
  - `openid`
  - `profile`
  - `email`
3. Click **Add client scope** if missing scopes


#### Configuration Values for Frontegg


```yaml
provider: keycloak
issuer_url: https://[KEYCLOAK-URL]/realms/[REALM-NAME]
client_id: frontegg-agentlink
client_secret: [from Credentials tab]
```