{"id":38877229,"url":"https://github.com/containerinfra/keycloak-gatekeeper","last_synced_at":"2026-01-17T14:37:07.497Z","repository":{"id":38896680,"uuid":"158943493","full_name":"containerinfra/keycloak-gatekeeper","owner":"containerinfra","description":"Keycloak Gatekeeper Docker image","archived":false,"fork":false,"pushed_at":"2023-10-19T11:52:44.000Z","size":60,"stargazers_count":6,"open_issues_count":8,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2023-10-19T12:46:07.410Z","etag":null,"topics":["docker","dockerfile","keycloak","keycloak-gatekeeper","keycloak-proxy"],"latest_commit_sha":null,"homepage":null,"language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/containerinfra.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2018-11-24T14:21:16.000Z","updated_at":"2023-08-04T00:47:48.000Z","dependencies_parsed_at":"2022-08-18T13:52:11.692Z","dependency_job_id":"a5ff6cdf-64c1-499e-94d8-a5e37a41cbeb","html_url":"https://github.com/containerinfra/keycloak-gatekeeper","commit_stats":null,"previous_names":[],"tags_count":0,"template":null,"template_full_name":null,"purl":"pkg:github/containerinfra/keycloak-gatekeeper","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerinfra%2Fkeycloak-gatekeeper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerinfra%2Fkeycloak-gatekeeper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerinfra%2Fkeycloak-gatekeeper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerinfra%2Fkeycloak-gatekeeper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/containerinfra","download_url":"https://codeload.github.com/containerinfra/keycloak-gatekeeper/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerinfra%2Fkeycloak-gatekeeper/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28510108,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T13:38:16.342Z","status":"ssl_error","status_checked_at":"2026-01-17T13:37:44.060Z","response_time":85,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","dockerfile","keycloak","keycloak-gatekeeper","keycloak-proxy"],"created_at":"2026-01-17T14:37:07.407Z","updated_at":"2026-01-17T14:37:07.471Z","avatar_url":"https://github.com/containerinfra.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Docker Keycloak Gatekeeper\n\nDocker image build for Keycloak Gatekeeper, using distroless as a basis.\n\n[![Docker hub](https://img.shields.io/docker/pulls/containerinfra/keycloak-gatekeeper.svg)](https://hub.docker.com/r/containerinfra/keycloak-gatekeeper/) ![GitHub Workflow Status](https://img.shields.io/github/workflow/status/containerinfra/keycloak-gatekeeper/release)\n\n\u003e *Please use [oauth2-proxy](https://github.com/containerinfra/oauth2-proxy) instead*!\n\n## Table of Contents\n\n- [Usage](#usage)\n- [Contribute](#contribute)\n- [License](#license)\n\n## Usage\n\n### Image\n\n- docker pull docker.io/containerinfra/keycloak-gatekeeper\n- docker pull ghcr.io/containerinfra/keycloak-gatekeeper\n\nImages are published on [Docker hub](https://hub.docker.com/r/containerinfra/keycloak-gatekeeper/) and [Github Container Registry](https://github.com/containerinfra/keycloak-gatekeeper/pkgs/container/keycloak-gatekeeper).\n\n### Configuration\n\nSee Keycloak Documentation: https://www.keycloak.org/docs/latest/securing_apps/index.html\n\n```bash\nNAME:\n keycloak-gatekeeper - is a proxy using the keycloak service for auth and authorization\n\nUSAGE:\n keycloak-gatekeeper [options]\n\nVERSION:\n 9.0.3 (git+sha: d2a9ce6, built: 14-04-2020)\n\nAUTHOR:\n Keycloak \u003ckeycloak-user@lists.jboss.org\u003e\n\nCOMMANDS:\n help, h Shows a list of commands or help for one command\n\nGLOBAL OPTIONS:\n --config value path the a configuration file [$PROXY_CONFIG_FILE]\n --listen value the interface the service should be listening on [$PROXY_LISTEN]\n --listen-http value interface we should be listening [$PROXY_LISTEN_HTTP]\n --discovery-url value discovery url to retrieve the openid configuration [$PROXY_DISCOVERY_URL]\n --client-id value client id used to authenticate to the oauth service [$PROXY_CLIENT_ID]\n --client-secret value client secret used to authenticate to the oauth service [$PROXY_CLIENT_SECRET]\n --redirection-url value redirection url for the oauth callback url, defaults to host header is absent [$PROXY_REDIRECTION_URL]\n --revocation-url value url for the revocation endpoint to revoke refresh token [$PROXY_REVOCATION_URL]\n --skip-openid-provider-tls-verify skip the verification of any TLS communication with the openid provider (default: false)\n --openid-provider-proxy value proxy for communication with the openid provider\n --openid-provider-timeout value timeout for openid configuration on .well-known/openid-configuration (default: 30s)\n --base-uri value common prefix for all URIs [$PROXY_BASE_URI]\n --oauth-uri value the uri for proxy oauth endpoints (default: \"/oauth\") [$PROXY_OAUTH_URI]\n --scopes value list of scopes requested when authenticating the user\n --upstream-url value url for the upstream endpoint you wish to proxy [$PROXY_UPSTREAM_URL]\n --upstream-ca value the path to a file container a CA certificate to validate the upstream tls endpoint\n --resources value list of resources 'uri=/admin*|methods=GET,PUT|roles=role1,role2'\n --headers value custom headers to the upstream request, key=value\n --preserve-host preserve the host header of the proxied request in the upstream request (default: false)\n --request-id-header value the http header name for request id (default: \"X-Request-ID\") [$PROXY_REQUEST_ID_HEADER]\n --response-headers value custom headers to added to the http response key=value\n --enable-self-signed-tls create self signed certificates for the proxy (default: false) [$PROXY_ENABLE_SELF_SIGNED_TLS]\n --self-signed-tls-hostnames value a list of hostnames to place on the self-signed certificate\n --self-signed-tls-expiration value the expiration of the certificate before rotation (default: 3h0m0s)\n --enable-request-id indicates we should add a request id if none found (default: false) [$PROXY_ENABLE_REQUEST_ID]\n --enable-logout-redirect indicates we should redirect to the identity provider for logging out (default: false)\n --enable-default-deny enables a default denial on all requests, you have to explicitly say what is permitted (recommended) (default: true)\n --enable-encrypted-token enable encryption for the access tokens (default: false)\n --force-encrypted-cookie force encryption for the access tokens in cookies (default: false)\n --enable-logging enable http logging of the requests (default: false)\n --enable-json-logging switch on json logging rather than text (default: false)\n --enable-forwarding enables the forwarding proxy mode, signing outbound request (default: false)\n --enable-security-filter enables the security filter handler (default: false) [$PROXY_ENABLE_SECURITY_FILTER]\n --enable-refresh-tokens enables the handling of the refresh tokens (default: false) [$PROXY_ENABLE_REFRESH_TOKEN]\n --enable-session-cookies access and refresh tokens are session only i.e. removed browser close (default: true)\n --enable-login-handler enables the handling of the refresh tokens (default: false) [$PROXY_ENABLE_LOGIN_HANDLER]\n --enable-token-header enables the token authentication header X-Auth-Token to upstream (default: true)\n --enable-authorization-header adds the authorization header to the proxy request (default: true) [$PROXY_ENABLE_AUTHORIZATION_HEADER]\n --enable-authorization-cookies adds the authorization cookies to the uptream proxy request (default: true) [$PROXY_ENABLE_AUTHORIZATION_COOKIES]\n --enable-https-redirection enable the http to https redirection on the http service (default: false)\n --enable-profiling switching on the golang profiling via pprof on /debug/pprof, /debug/pprof/heap etc (default: false)\n --enable-metrics enable the prometheus metrics collector on /oauth/metrics (default: false)\n --filter-browser-xss enable the adds the X-XSS-Protection header with mode=block (default: false)\n --filter-content-nosniff adds the X-Content-Type-Options header with the value nosniff (default: false)\n --filter-frame-deny enable to the frame deny header (default: false)\n --content-security-policy value specify the content security policy\n --localhost-metrics enforces the metrics page can only been requested from 127.0.0.1 (default: false)\n --access-token-duration value fallback cookie duration for the access token when using refresh tokens (default: 720h0m0s)\n --client-auth-method value the auth method to use with oauth (secret-basic, secret-body) (default: \"secret-basic\") [$PROXY_CLIENT_AUTH_METHOD]\n --cookie-domain value domain the access cookie is available to, defaults host header\n --cookie-access-name value name of the cookie use to hold the access token (default: \"kc-access\")\n --cookie-refresh-name value name of the cookie used to hold the encrypted refresh token (default: \"kc-state\")\n --secure-cookie enforces the cookie to be secure (default: true)\n --http-only-cookie enforces the cookie is in http only mode (default: true)\n --same-site-cookie value enforces cookies to be send only to same site requests according to the policy (can be Strict|Lax|None) (default: \"Lax\")\n --match-claims value keypair values for matching access token claims e.g. aud=myapp, iss=http://example.*\n --add-claims value extra claims from the token and inject into headers, e.g given_name -\u003e X-Auth-Given-Name\n --tls-cert value path to ths TLS certificate\n --tls-private-key value path to the private key for TLS\n --tls-ca-certificate value path to the ca certificate used for signing requests\n --tls-ca-key value path the ca private key, used by the forward signing proxy\n --tls-client-certificate value path to the client certificate for outbound connections in reverse and forwarding proxy modes\n --skip-upstream-tls-verify skip the verification of any upstream TLS (default: true)\n --cors-origins value origins to add to the CORE origins control (Access-Control-Allow-Origin)\n --cors-methods value methods permitted in the access control (Access-Control-Allow-Methods)\n --cors-headers value set of headers to add to the CORS access control (Access-Control-Allow-Headers)\n --cors-exposed-headers value expose cors headers access control (Access-Control-Expose-Headers)\n --cors-credentials credentials access control header (Access-Control-Allow-Credentials) (default: false)\n --cors-max-age value max age applied to cors headers (Access-Control-Max-Age) (default: 0s)\n --hostnames value list of hostnames the service will respond to\n --store-url value url for the storage subsystem, e.g redis://127.0.0.1:6379, file:///etc/tokens.file\n --encryption-key value encryption key used to encryption the session state [$PROXY_ENCRYPTION_KEY]\n --invalid-auth-redirects-with-303 use HTTP 303 redirects instead of 307 for invalid auth tokens (default: false)\n --no-redirects do not have back redirects when no authentication is present, 401 them (default: false)\n --skip-token-verification TESTING ONLY; bypass token verification, only expiration and roles enforced (default: false)\n --upstream-keepalives enables or disables the keepalive connections for upstream endpoint (default: true)\n --upstream-timeout value maximum amount of time a dial will wait for a connect to complete (default: 10s)\n --upstream-keepalive-timeout value specifies the keep-alive period for an active network connection (default: 10s)\n --upstream-tls-handshake-timeout value the timeout placed on the tls handshake for upstream (default: 10s)\n --upstream-response-header-timeout value the timeout placed on the response header for upstream (default: 10s)\n --upstream-expect-continue-timeout value the timeout placed on the expect continue for upstream (default: 10s)\n --verbose switch on debug / verbose logging (default: false)\n --enabled-proxy-protocol enable proxy protocol (default: false)\n --max-idle-connections value max idle upstream / keycloak connections to keep alive, ready for reuse (default: 0)\n --max-idle-connections-per-host value limits the number of idle connections maintained per host (default: 0)\n --server-read-timeout value the server read timeout on the http server (default: 10s)\n --server-write-timeout value the server write timeout on the http server (default: 10s)\n --server-idle-timeout value the server idle timeout on the http server (default: 2m0s)\n --use-letsencrypt use letsencrypt for certificates (default: false)\n --letsencrypt-cache-dir value path where cached letsencrypt certificates are stored (default: \"./cache/\")\n --sign-in-page value path to custom template displayed for signin\n --forbidden-page value path to custom template used for access forbidden\n --tags value keypairs passed to the templates at render,e.g title=Page\n --forwarding-username value username to use when logging into the openid provider [$PROXY_FORWARDING_USERNAME]\n --forwarding-password value password to use when logging into the openid provider [$PROXY_FORWARDING_PASSWORD]\n --forwarding-domains value list of domains which should be signed; everything else is relayed unsigned\n --disable-all-logging disables all logging to stdout and stderr (default: false)\n --help, -h show help\n --version, -v print the version\n```\n\n## Automated build\n\nThis image is build at least once a month automatically.\n\n## Contribute\n\nPRs accepted. All issues should be reported in the [Github issue tracker](https://github.com/containerinfra/keycloak-gatekeeper/issues).\n\n## License\n\n[MIT © ContainerInfra](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainerinfra%2Fkeycloak-gatekeeper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontainerinfra%2Fkeycloak-gatekeeper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainerinfra%2Fkeycloak-gatekeeper/lists"}