Per-client login URL

funcqueen · June 18, 2025, 7:41pm

I recently picked up the responsibility for managing my company’s keycloak instance after the last person got laid off, and have been tasked with integrating a new web app that will use keycloak for auth, so I apologize ahead of time for my misunderstanding of how everything works

I have been tasked with creating and configuring a new keycloak client, a couple custom authenticator extensions to be placed in a new custom login flow, and a custom theme for said login. The custom flow is based off of the browser flow for reference, just with a few extra steps that communicate with external services throughout the flow.

From my understanding, the way it’ll work is

User tries to access application
gets redirected to keycloak for login
User enters in credentials
If correct, user gets redirected back to resource/application

From my understanding after reading through the guides/documentation, I should

create a new client in the realm that handles all of our customers
set the login theme (for the client, not realm) to my custom theme
set up a custom authentication flow, override the aforementioned client’s browser flow to instead use this one
provide the adapter config for that client to the developer of this new application to allow them to connect and authenticate/authorize against my keycloak instance

Right now I am trying to test that third step (in an effort to test those extensions), but unsure of how to do so, as I’m not sure how or where to find the URL for the login page for this client. Is that something I set through the Root URL of the client? Is there a pattern keycloak uses for that? There are a few OIDC clients in this realm that have their Root URL set to the URL of the application, which if unauthenticated redirects the user to a domain like <keycloak base URL>/realms/{realm}/protocol/openid-connect/auth?client_id={client_id}&redirect_uri=..., should I do something like that? Or am I thinking about this completely wrong, and it’s necessary for the client application to be properly configured to communicate with keycloak before I can properly test the authentication flow? I hope all of that makes sense and I’m not just incoherently rambling haha

embesozzi · June 22, 2025, 8:30pm

First of all, try to understand the standard you are implementing - it will simplify your life.
Instead of explaining how it works in general terms, just say: “I’m implementing OpenID Connect (OIDC) using these flows” - usually the Authorization Code Flow or Authorization Code Flow with PKCE.
Then, keep in mind that an OAuth 2.0 client refers to the application itself - therefore, for N applications , you need N clients.

But the main point remains: start by understanding the standards - OIDC [1], OAuth 2.0, etc.

[1] Final: OpenID Connect Core 1.0 incorporating errata set 2
[2] RFC 9470: OAuth 2.0 Step Up Authentication Challenge Protocol

Topic		Replies	Views
Creating a Custom Login UI (Frontend) Getting advice authentication , user-federation , oidc	9	1922	September 17, 2024
Authenticate two different services with a single keycloak server Getting advice oidc	4	97	November 19, 2024
Login page URL for a public instance Getting advice	8	30994	October 12, 2021
SSO KeyCloak and client integration Getting advice authentication , oidc	4	723	August 4, 2020
How to configure separately running Authetication service with login page while still keeping Keycloak in control of the authorization flow? authentication , identity-brokering , user-federation , oidc , saml	0	21	September 20, 2024

Per-client login URL

Related topics