Keycloak and Cloudflare Zero Trust Setup
Tested with Keycloak 16.1.1. This has not been tested with the Quarkus versions!
This covers how to use Keycloak as a generic OIDC provider with Cloudflare Zero Trust to authenticate connections.
Required Information and Access
- Access to the Keycloak admin console
- Access to Cloudflare Zero Trust for your team
- A Realm created in Keycloak already
- The name of your Cloudflare team
Fake data used in this example:
- Keycloak URL:
- Keycloak Client ID:
- Keycloak Realm:
- Cloudflare team name:
- Select the realm you want to use
- Navigate to Clients, then click Create
- Enter a unique client ID (such as
- Ensure Client Protocol is set to
- Leave Root URL blank
- Click Save
- Enter the settings of the newly-created client.
- Change Access Type to
- Add a valid redirect URI. This is based on your Cloudflare team name and is
provided when setting up an OIDC authentication provider. At the time of
writing, it follows the format of
- Click Save
- Click the Credentials tab
- Ensure the client authenticator is set to
Client Id and Secret
- Copy the client secret
Configure Cloudflare Zero Trust
This section requires information about your current OIDC configuration.
Keycloak provides a .well-known link with all of the information located at
You will need three URLs from here. The below list defines them based on their
name in Cloudflare; the
coded values are the identifiers in the .well-known
- The Auth URL (
- The Token URL (
- The Certificate URL (
- Log into your Cloudflare Dashboard. Click Zero Trust.
- Navigate to Settings, then Authentication. Click Add New, then click OpenID Connect.
- Enter the following information:
- Name: whatever you want
- App ID: your Keycloak client ID, i.e.
- Client secret: the above copied client secret from Keycloak
- The Auth URL, Token URL, and Certificate URLs from the .well-known configuration above
- Add whatever optional claims you want Cloudflare to pass along to authenticated applications.