How it works

Keycloak extensions (called providers) are JAR files placed in /opt/keycloak/providers/ before running kc.sh build. Tracking download URLs, versions, and checksums manually across environments is error-prone.

This registry solves that by publishing a minimal container image for every extension version it indexes. You reference it directly in your Dockerfile — no extra tools, no config files.

The two pieces

1

The Registry

this site

Discovers and indexes community Keycloak extensions from GitHub Releases and Maven Central. For every version it finds, it publishes a minimal OCI image containing just the JAR, verified against its SHA-256 digest.

2

Your Dockerfile

one COPY line per extension

Reference the provider image directly with COPY --from=. Docker pulls the image at build time and copies the JAR into your Keycloak builder stage. Adding another extension is one more line — the pattern never changes.

FROM quay.io/keycloak/keycloak AS builder
COPY --from=kcer.dev/providers/keycloak-home-idp-discovery:v26.1.1 /providers/ /opt/keycloak/providers/
RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak
COPY --from=builder /opt/keycloak/ /opt/keycloak/
ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
CMD ["start", "--optimized"]
Quick start →