All configuration

Complete list of all build options and configuration for Keycloak

Cluster

Type Default

cache

Defines the cache mechanism for high-availability.

By default, a 'ispn' cache is used to create a cluster between multiple server nodes. A 'local' cache disables clustering and is intended for development and testing purposes.

CLI: --cache

Env: KC_CACHE

local, ispn

ispn

cache-config-file

Defines the file from which cache configuration should be loaded from.

CLI: --cache-config-file

Env: KC_CACHE_CONFIG_FILE

cache-stack

Define the default stack to use for cluster communication and node discovery.

This option only takes effect if 'cache' is set to 'ispn'. Default: udp.

CLI: --cache-stack

Env: KC_CACHE_STACK

tcp, udp, kubernetes, ec2, azure, google

Database

Type Default

db

The database vendor.

Possible values are: dev-file, dev-mem, mariadb, mssql, mysql, oracle, postgres

CLI: --db

Env: KC_DB

dev-file, dev-mem, mariadb, mssql, mysql, oracle, postgres

db-password

The password of the database user.

CLI: --db-password

Env: KC_DB_PASSWORD

db-pool-initial-size

The initial size of the connection pool.

CLI: --db-pool-initial-size

Env: KC_DB_POOL_INITIAL_SIZE

db-pool-max-size

The maximum size of the connection pool.

CLI: --db-pool-max-size

Env: KC_DB_POOL_MAX_SIZE

100

db-pool-min-size

The minimal size of the connection pool.

CLI: --db-pool-min-size

Env: KC_DB_POOL_MIN_SIZE

db-schema

The database schema to be used.

CLI: --db-schema

Env: KC_DB_SCHEMA

db-url

The full database JDBC URL.

If not provided, a default URL is set based on the selected database vendor. For instance, if using 'postgres', the default JDBC URL would be 'jdbc:postgresql://localhost/keycloak'.

CLI: --db-url

Env: KC_DB_URL

db-url-database

Sets the database name of the default JDBC URL of the chosen vendor.

If the db-url option is set, this option is ignored.

CLI: --db-url-database

Env: KC_DB_URL_DATABASE

db-url-host

Sets the hostname of the default JDBC URL of the chosen vendor.

If the db-url option is set, this option is ignored.

CLI: --db-url-host

Env: KC_DB_URL_HOST

db-url-port

Sets the port of the default JDBC URL of the chosen vendor.

If the db-url option is set, this option is ignored.

CLI: --db-url-port

Env: KC_DB_URL_PORT

db-url-properties

Sets the properties of the default JDBC URL of the chosen vendor.

If the db-url option is set, this option is ignored.

CLI: --db-url-properties

Env: KC_DB_URL_PROPERTIES

db-username

The username of the database user.

CLI: --db-username

Env: KC_DB_USERNAME

Transaction

Type Default

transaction-xa-enabled

Manually override the transaction type.

Transaction type XA and the appropriate driver is used by default.

CLI: --transaction-xa-enabled

Env: KC_TRANSACTION_XA_ENABLED

true, false

true

Feature

Type Default

features

Enables a set of one or more features.

CLI: --features

Env: KC_FEATURES

authorization, account2, account-api, admin-fine-grained-authz, admin2, docker, impersonation, openshift-integration, scripts, token-exchange, web-authn, client-policies, ciba, map-storage, par, declarative-user-profile, dynamic-scopes, client-secret-rotation, step-up-authentication, recovery-codes, preview

features-disabled

Disables a set of one or more features.

CLI: --features-disabled

Env: KC_FEATURES_DISABLED

authorization, account2, account-api, admin-fine-grained-authz, admin2, docker, impersonation, openshift-integration, scripts, token-exchange, web-authn, client-policies, ciba, map-storage, par, declarative-user-profile, dynamic-scopes, client-secret-rotation, step-up-authentication, recovery-codes, preview

Hostname

Type Default

hostname

Hostname for the Keycloak server.

CLI: --hostname

Env: KC_HOSTNAME

hostname-path

This should be set if proxy uses a different context-path for Keycloak.

CLI: --hostname-path

Env: KC_HOSTNAME_PATH

hostname-port

The port used by the proxy when exposing the hostname.

Set this option if the proxy uses a port other than the default HTTP and HTTPS ports.

CLI: --hostname-port

Env: KC_HOSTNAME_PORT

-1

hostname-strict

Disables dynamically resolving the hostname from request headers.

Should always be set to true in production, unless proxy verifies the Host header.

CLI: --hostname-strict

Env: KC_HOSTNAME_STRICT

true, false

true

hostname-strict-backchannel

By default backchannel URLs are dynamically resolved from request headers to allow internal and external applications.

If all applications use the public URL this option should be enabled.

CLI: --hostname-strict-backchannel

Env: KC_HOSTNAME_STRICT_BACKCHANNEL

true, false

false

HTTP/TLS

Type Default

http-enabled

Enables the HTTP listener.

CLI: --http-enabled

Env: KC_HTTP_ENABLED

true, false

false

http-host

The used HTTP Host.

CLI: --http-host

Env: KC_HTTP_HOST

0.0.0.0

http-port

The used HTTP port.

CLI: --http-port

Env: KC_HTTP_PORT

8080

http-relative-path

Set the path relative to '/' for serving resources.

CLI: --http-relative-path

Env: KC_HTTP_RELATIVE_PATH

/

https-certificate-file

The file path to a server certificate or certificate chain in PEM format.

CLI: --https-certificate-file

Env: KC_HTTPS_CERTIFICATE_FILE

https-certificate-key-file

The file path to a private key in PEM format.

CLI: --https-certificate-key-file

Env: KC_HTTPS_CERTIFICATE_KEY_FILE

https-cipher-suites

The cipher suites to use.

If none is given, a reasonable default is selected.

CLI: --https-cipher-suites

Env: KC_HTTPS_CIPHER_SUITES

https-client-auth

Configures the server to require/request client authentication.

Possible Values: none, request, required.

CLI: --https-client-auth

Env: KC_HTTPS_CLIENT_AUTH

none, request, required

none

https-key-store-file

The key store which holds the certificate information instead of specifying separate files.

CLI: --https-key-store-file

Env: KC_HTTPS_KEY_STORE_FILE

https-key-store-password

The password of the key store file.

CLI: --https-key-store-password

Env: KC_HTTPS_KEY_STORE_PASSWORD

password

https-key-store-type

The type of the key store file.

If not given, the type is automatically detected based on the file name.

CLI: --https-key-store-type

Env: KC_HTTPS_KEY_STORE_TYPE

https-port

The used HTTPS port.

CLI: --https-port

Env: KC_HTTPS_PORT

8443

https-protocols

The list of protocols to explicitly enable.

CLI: --https-protocols

Env: KC_HTTPS_PROTOCOLS

TLSv1.3

https-trust-store-file

The trust store which holds the certificate information of the certificates to trust.

CLI: --https-trust-store-file

Env: KC_HTTPS_TRUST_STORE_FILE

https-trust-store-password

The password of the trust store file.

CLI: --https-trust-store-password

Env: KC_HTTPS_TRUST_STORE_PASSWORD

https-trust-store-type

The type of the trust store file.

If not given, the type is automatically detected based on the file name.

CLI: --https-trust-store-type

Env: KC_HTTPS_TRUST_STORE_TYPE

Health

Type Default

health-enabled

If the server should expose health check endpoints.

If enabled, health checks are available at the '/health', '/health/ready' and '/health/live' endpoints.

CLI: --health-enabled

Env: KC_HEALTH_ENABLED

true, false

false

Metrics

Type Default

metrics-enabled

If the server should expose metrics.

If enabled, metrics are available at the '/metrics' endpoint.

CLI: --metrics-enabled

Env: KC_METRICS_ENABLED

true, false

false

Proxy

Type Default

proxy

The proxy address forwarding mode if the server is behind a reverse proxy.

Possible values are: edge,reencrypt,passthrough

CLI: --proxy

Env: KC_PROXY

edge, reencrypt, passthrough

none

Vault

Type Default

vault

Enables a vault provider.

CLI: --vault

Env: KC_VAULT

file, hashicorp

vault-dir

If set, secrets can be obtained by reading the content of files within the given directory.

CLI: --vault-dir

Env: KC_VAULT_DIR

Logging

Type Default

log

Enable one or more log handlers in a comma-separated list.

Available log handlers are: console,file

CLI: --log

Env: KC_LOG

console, file, console,file, file,console

console

log-console-color

Enable or disable colors when logging to console.

CLI: --log-console-color

Env: KC_LOG_CONSOLE_COLOR

false

log-console-format

The format of unstructured console log entries.

If the format has spaces in it, escape the value using "<format>".

CLI: --log-console-format

Env: KC_LOG_CONSOLE_FORMAT

%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n

log-console-output

Set the log output to JSON or default (plain) unstructured logging.

CLI: --log-console-output

Env: KC_LOG_CONSOLE_OUTPUT

default, json

default

log-file

Set the log file path and filename.

CLI: --log-file

Env: KC_LOG_FILE

data/log/keycloak.log

log-file-format

Set a format specific to file log entries.

CLI: --log-file-format

Env: KC_LOG_FILE_FORMAT

%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n

log-level

The log level of the root category or a comma-separated list of individual categories and their levels.

For the root category, you don’t need to specify a category.

CLI: --log-level

Env: KC_LOG_LEVEL

info

On this page