This project provides two extensions for Keycloak that integrate with OpenBao and HashiCorp Vault:

• Vault secrets provider
• Secrets Manager REST API extension

By implementing a Vault SPI provider, this extension allows Keycloak to retrieve secrets from OpenBao or HashiCorp Vault. It uses the KV secrets engine as the secure storage for sensitive configuration data. This avoids storing sensitive data in the SQL database in cleartext.

The project also implements a custom REST API extension called Secrets Manager for Keycloak's Admin REST API. This enables realm administrators to manage Vault SPI secret values through Keycloak, without needing direct access to OpenBao or HashiCorp Vault.

For more information, see:

• Project Overview
• Deployment Guide
• Secrets Manager REST API Documentation

When this extension is loaded, Keycloak displays the following warnings:

WARN  [org.keycloak.services] (build-47) KC-SERVICES0047: secrets-manager (io.github.nordix.keycloak.services.secretsmanager.SecretsManagerProviderFactory) is implementing the internal SPI admin-realm-restapi-extension. This SPI is internal and may change without notice
WARN  [org.keycloak.services] (build-47) KC-SERVICES0047: secrets-provider (io.github.nordix.keycloak.services.vault.SecretsProviderFactory) is implementing the internal SPI vault. This SPI is internal and may change without notice

The vault and admin-realm-restapi-extension SPIs are internal to Keycloak and may change at any time. No stable public alternatives exist, so future Keycloak updates could break compatibility. Some internal Keycloak APIs (e.g. for caching) are also used.

Please refer to CONTRIBUTING.md.