Skip to main content
Redhat Developers  Logo
  • Products

    Platforms

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat AI
      Red Hat AI
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • View All Red Hat Products

    Featured

    • Red Hat build of OpenJDK
    • Red Hat Developer Hub
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenShift Dev Spaces
    • Red Hat OpenShift Local
    • Red Hat Developer Sandbox

      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Secure Development & Architectures

      • Security
      • Secure coding
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • Product Documentation
    • API Catalog
    • Legacy Documentation
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Docker Authentication with Keycloak

October 31, 2017
Josh Cain
Related topics:
Containers

Share:

    Need to lock down your Docker registry?  Keycloak has you covered.

    As of version 3.2.0, Keycloak has the ability to act as an "authorization service" for Docker authentication. This means that the Keycloak IDP server can perform identity validation and token issuance when a Docker registry requires authentication. Administrators may now leverage the same user base, audit controls, and configuration mechanisms in Keycloak to extend their SSO ecosystem past OpenID Connect and SAML to cover Docker registries. The chart below illustrates how this flow works:

    Docker Authentication Flow

    This article will walk through how to set up a local Keycloak IDP and Docker registry to demonstrate the Docker authentication capability. Note that the configuration used in this tutorial is for demonstration purposes only, and should never be run in a production environment. Also, be advised that Docker authentication remains a community-supported feature. It is not covered by a support subscription.

    Configure the Keycloak Client and a Docker Registry

    Begin by spinning up a Keycloak instance.  Note that the docker feature must be explicitly enabled:

    docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=password jboss/keycloak -Dkeycloak.profile.feature.docker=enabled -b 0.0.0.0

    Once the container boots up, open your web browser and head to the Keycloak admin console. For the sake of this demonstration, we're going to use the master realm. However, in most real-world use cases, Docker registries will be configured against the primary realm or realms. Create a client for a Docker registry with the following steps. Don't worry about having a registry container or server handy yet; we'll get to that part in a bit.

    • Browse to the admin console at http://localhost:8080/auth/admin/master/console/and login with the credentials specified in the above command.
    • Choose Clients from the menu on the left side, and click the Create button.
    • Enter a meaningful name for ClientID, choose docker-v2 as the Client Protocol, and click Save.

    Add Docker Client

    A message will pop up indicating that the client was successfully created. At this point, the IDP is ready to interact with a Docker registry, so let's spin one up. Thankfully, Docker Compose can automate the process of creating and configuring a Docker registry to interact with our IDP.

    • Navigate to the Installation tab
    • Choose Docker Compose YAML as the Format Option
    • Click Download.

    Docker Compose Download

    Save the .zip to the desired location, and then unzip the archive. After unzipping, the resulting directory should look like this:

    keycloak-docker-compose-yaml
    ├── certs
    │   ├── localhost.crt
    │   ├── localhost.key
    │   └── localhost_trust_chain.pem
    ├── data
    ├── docker-compose.yaml
    └── README.md

    From the keycloak-docker-compose-yaml directory, simply execute the following command to spin up a local registry:

    docker-compose up

    Test Authentication

    Now that both the Keycloak IDP and the Docker registry have been configured and stood up locally, we can demonstrate authentication using the local Docker client. First, validate that the registry is protected by authentication:

    # docker pull localhost:5000/busybox
    Using default tag: latest
    Error response from daemon: Get https://localhost:5000/v2/busybox/manifests/latest: unauthorized: Invalid username or password.
    
    

    Note that the pull was unsuccessful because our client has not been authorized to access the registry. Now, log in with the same credentials previously used to gain access to the Keycloak console and observe a different message:

    # docker login -u admin localhost:5000
    Password: 
    Login Succeeded
    
    # docker pull localhost:5000/busybox
    Using default tag: latest
    Error response from daemon: manifest for localhost:5000/busybox:latest not found

    Observe that a new error message is presented - namely that the manifest could not be found.  This is due to the container and data volume start with an empty registry. Simply tagging and uploading an image will resolve this error message:

    # docker pull busybox
    Using default tag: latest
    latest: Pulling from library/busybox
    03b1be98f3f9: Pull complete 
    Digest: sha256:3e8fa85ddfef1af9ca85a5cfb714148956984e02f00bec3f7f49d3925a91e0e7
    Status: Downloaded newer image for busybox:latest 
    
    # docker tag busybox:latest localhost:5000/busybox:latest
    
    # docker push localhost:5000/busybox:latest
    The push refers to a repository [localhost:5000/busybox]
    6a749002dd6a: Pushed 
    latest: digest: sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af size: 527
    
    # docker pull localhost:5000/busybox
    Using default tag: latest
    latest: Pulling from busybox
    Digest: sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af
    Status: Image is up to date for localhost:5000/busybox:latest

    The docker client can now perform operations against the registry, as it has authenticated against the Keycloak IDP Server.

    For more information on how to use Keycloak with Docker, see the relevant sections in the server administration guide and the securing applications guide.


    Whether you are new to Containers or have experience, downloading this cheat sheet can assist you when encountering tasks you haven’t done lately.

    Last updated: October 26, 2017

    Recent Posts

    • How to enable Ansible Lightspeed intelligent assistant

    • Why some agentic AI developers are moving code from Python to Rust

    • Confidential VMs: The core of confidential containers

    • Benchmarking with GuideLLM in air-gapped OpenShift clusters

    • Run Qwen3-Next on vLLM with Red Hat AI: A step-by-step guide

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue