Supabase Self-Hosted Keycloak Integration

Here's a docker compose example you can use to run keycloak locally:

version: '3.4'
services:
 keycloak:
 image: bitnami/keycloak
 restart: always
 ports:
 - 8080:8080
 environment:
 KEYCLOAK_ADMIN_USER: admin
 KEYCLOAK_ADMIN_PASSWORD: admin
 KEYCLOAK_DATABASE_HOST: postgres
 KEYCLOAK_DATABASE_PORT: 5432
 KEYCLOAK_DATABASE_NAME: keycloak
 KEYCLOAK_DATABASE_USER: keycloak
 KEYCLOAK_DATABASE_PASSWORD: keycloak
 volumes:
 - ./infrastructure/keycloak/realms:/opt/bitnami/keycloak/data/import

you should add a postgresql to it...

Now if you are running supabase and keycloak locally using docker, you are going to run into issues with redirection. e.g: when supabase docker will try to call the token endpoint it won't work if you use localhost ... Therefore, you should use another address, for example your local network IP.

On the Supabase side, you can use the CLI to initialize the project which will create a config.toml file, make sure to configure your config.toml. Here's a couple points:

[auth]
enabled = true
# The base URL of your website. Used as an allow-list for redirects and for constructing URLs used
# in emails.
site_url = "http://127.0.0.1:8080"
# A list of *exact* URLs that auth providers are permitted to redirect to post authentication.
additional_redirect_urls = ["**"]
...
[auth.external.keycloak]
enabled = true
client_id = "supabase"
# DO NOT commit your OAuth provider secret to git. Use environment variable substitution instead:
secret = "env(SUPABASE_AUTH_EXTERNAL_KEYCLOAK_SECRET)"
# Overrides the default auth redirectUrl.
# Default url is: http://127.0.0.1:54321/auth/v1/callback
redirect_uri = ""
# Overrides the default auth provider URL. Used to support self-hosted gitlab, single-tenant Azure,
# or any other third-party OIDC providers.
url = "http://YOUR_KEYCLOAK_HOST:YOUR_KEYCLOAK_PORT/realms/{your_realm}"

hope this helps.

• authentication
• oauth
• keycloak
• supabase