Is your feature request related to a problem?
Users self-hosting Phase who use Keycloak as their identity provider (IdP) cannot currently use it for single sign-on. Keycloak is one of the most widely adopted open-source identity and access management solutions, especially popular among teams self-hosting their infrastructure — the exact audience Phase's self-hosted offering targets.
Describe the solution you'd like
Add Keycloak as a first-class SSO provider, following the same OIDC integration pattern used by existing providers (Authentik, Okta, JumpCloud, Entra ID).
Configuration
Three environment variables:
| Variable |
Description |
Example |
KEYCLOAK_CLIENT_ID |
OAuth 2.0 client ID from Keycloak |
phase-console |
KEYCLOAK_CLIENT_SECRET |
OAuth 2.0 client secret |
secret |
KEYCLOAK_ISSUER_URL |
Keycloak realm issuer URL |
https://keycloak.example.com/realms/myrealm |
Enable via SSO_PROVIDERS=keycloak (comma-separated with other providers).
Implementation scope
Backend:
- New OIDC adapter extending
GenericOpenIDConnectAdapter with Keycloak-specific discovery URL ({KEYCLOAK_ISSUER_URL}/.well-known/openid-configuration)
- New
KeycloakLoginView in api/views/auth.py
- New URL route:
/social/login/keycloak/
- Provider entry in
SOCIALACCOUNT_PROVIDERS in settings.py
Frontend:
- New NextAuth OIDC provider using the existing
genericOIDCProvider factory (frontend/ee/authentication/sso/oidc/util/)
- Add Keycloak button to
SignInButtons.tsx
- Add Keycloak logo component (
frontend/components/common/logos/)
- Register provider in
[...nextauth].ts
Is your feature request related to a problem?
Users self-hosting Phase who use Keycloak as their identity provider (IdP) cannot currently use it for single sign-on. Keycloak is one of the most widely adopted open-source identity and access management solutions, especially popular among teams self-hosting their infrastructure — the exact audience Phase's self-hosted offering targets.
Describe the solution you'd like
Add Keycloak as a first-class SSO provider, following the same OIDC integration pattern used by existing providers (Authentik, Okta, JumpCloud, Entra ID).
Configuration
Three environment variables:
KEYCLOAK_CLIENT_IDphase-consoleKEYCLOAK_CLIENT_SECRETsecretKEYCLOAK_ISSUER_URLhttps://keycloak.example.com/realms/myrealmEnable via
SSO_PROVIDERS=keycloak(comma-separated with other providers).Implementation scope
Backend:
GenericOpenIDConnectAdapterwith Keycloak-specific discovery URL ({KEYCLOAK_ISSUER_URL}/.well-known/openid-configuration)KeycloakLoginViewinapi/views/auth.py/social/login/keycloak/SOCIALACCOUNT_PROVIDERSinsettings.pyFrontend:
genericOIDCProviderfactory (frontend/ee/authentication/sso/oidc/util/)SignInButtons.tsxfrontend/components/common/logos/)[...nextauth].ts