Keycloak

Keycloak is the de facto open-source IAM platform — used in enterprise, government, and cloud-native environments where self-hosted SSO and OAuth2/OIDC are required. For agents, the Admin REST API enables: user CRUD (create users, assign roles, reset passwords, disable accounts), realm configuration management, client registration, token inspection (introspect), and user group management. Keycloak handles OAuth2/OIDC flows that other services rely on — it can be both the IAM authority and an API target for identity operations. High feature complexity; configuration-heavy initial setup. Quarkus-based since v17 (significantly improved performance vs. WildFly-based v16). Confidence is docs-derived.

Admin API authentication: client credentials OAuth2 flow. Create a service account client in Keycloak admin console → generate client credentials → POST to /realms/{realm}/protocol/openid-connect/token with grant_type=client_credentials for a Bearer token. Service account needs admin realm role (realm-admin) or specific fine-grained permissions. Token expiry configurable per client (default 60s for admin tokens — must refresh frequently). HTTPS enforced in production. Keycloak itself manages OAuth2/OIDC for all integrated services.

keycloak.org/documentation provides comprehensive server documentation: admin REST API reference (fully generated from code), server administration guide, securing applications guide, server developer guide, and authorization services reference. Documentation is thorough but extensive — expect steep learning curve. Getting started via Docker: docker run quay.io/keycloak/keycloak:latest start-dev. Admin console available at /admin for visual configuration. Community support via Keycloak Discourse forum, GitHub, and Keycloak Slack.

Admin REST API at {host}/admin/realms/{realm}. Resources: users, groups, roles, clients, client-scopes, realms, sessions, token. GET /users lists users with optional filtering (search, email, username). POST /users creates a user. PUT /users/{id} updates user attributes/enabled status. POST /users/{id}/role-mappings/realm assigns realm roles. GET /clients lists OAuth2 clients in the realm. POST /clients creates a new OAuth2 client. GET /{realm}/users/{id}/sessions lists active sessions for a user. DELETE /sessions/{sessionId} revokes a session. Pagination: first, max params.

Admin API errors: HTTP 400 for validation errors (with JSON errorMessage), 403 for insufficient scope, 404 for missing entity, 409 for conflicts (user already exists). Rate limiting: not built-in by default; load balancer/reverse proxy enforced. Short-lived admin tokens require frequent refresh (important for agent loops). Keycloak startup time: 3-10 seconds with Quarkus; full restart should be minimized in production. High availability via active-active clustering with JDBC or Infinispan. Keycloak Cloud (Keycloak.cloud) available for managed hosting.