FAQ

Where does the provider image come from?

When the registry syncs a new extension version it automatically builds a minimal OCI image containing only the JAR and publishes it. This happens within minutes of a new release being detected. The image is public and free to pull.

Can I use multiple extensions?

Yes. Add one COPY --from= line per extension before the RUN kc.sh build step. The pattern is identical for any number of extensions.

Why pin to an exact version instead of "latest"?

Reproducibility. A Docker build from three months ago should produce the same image as one run today. A "latest" shorthand would silently update extensions between builds, making rollbacks harder and breaking the auditability of what is in each image.

What does kc.sh build do?

It augments Keycloak's classpath for the installed providers using Quarkus's build-time optimisation. The result is a faster, leaner startup. It is required if you start Keycloak with --optimized, which is the recommended production mode.

Which Keycloak version should I use?

You choose. Each extension page shows which Keycloak version it was built against, but extensions are often compatible with newer versions too. Check the extension's changelog and GitHub issues if you are unsure. The registry does not dictate your Keycloak base image.

Does anything run at container startup?

No. Extensions are baked into the image at build time. Your running container has no dependency on the registry or any external service.