The Keycloak image packages the server runtime (JVM-based or native executable), the identity and access management core (authentication flows, SSO, OAuth2/OIDC/SAML token issuance, user federation, role and policy engine), administrative console and REST management APIs, and adapters/CLI tools. It also includes health checks, metrics endpoints and optional cache connectors; persistent state is externalized to a database or cache.
In containerized production it is deployed as stateless replicas behind a load balancer with external DB/replicated cache for sessions and metadata; configuration via environment variables, volumes or config maps supports automation and CI/CD. Typical workloads include token issuance, SSO, identity brokering, user provisioning and fine‑grained authorization for APIs and apps. Teams evaluate a Keycloak hardened image in regulated environments to enforce minimal packages, non‑root execution, controlled syscalls, signed artifacts and alignment with compliance baselines to reduce attack surface and support audits.
The Minimus Keycloak image is purpose-built from scratch to contain only the Keycloak runtime and the libraries it actually needs, unlike typical Keycloak container images that layer a full OS distribution, package managers, and development tooling. By eliminating unnecessary packages, shells, and services, the Minimus Keycloak image reduces the attack surface, starts and updates faster, consumes fewer resources, and is simpler to maintain and audit.
The Minimus hardened Keycloak image goes further by applying container-specific hardening and secure defaults aligned with industry guidance; controls and build practices follow standards such as NIST SP 800-190 and relevant CIS Benchmarks. These hardening measures focus on minimal privileges, safe file permissions and capabilities, and reproducible builds so engineers can deploy a smaller, more secure Keycloak runtime with confidence.
Keycloak is an open-source identity and access management (IAM) solution. It provides single sign-on (SSO), user federation, social login, and identity brokering, plus OAuth 2.0, OpenID Connect, and SAML 2.0 support. It helps secure applications and services without coding auth logic, and it centralizes user, role, and policy management with an admin console.
In containerized deployments, you typically run a Keycloak image to deploy the server quickly. For production, use a hardened Keycloak image and configure TLS, backups, and security hardening.
docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=secret quay.io/keycloak/keycloak:latest start-devYes. Keycloak remains widely used for SSO and IAM, with ongoing development by Red Hat and the community. The project has evolved with Keycloak.X (Quarkus-based) and continues to be a go-to option for many organizations. For container deployments, many teams rely on the official container image to run the server.
For production, use a hardened Keycloak image and apply security hardening: minimal base image, regular updates, vulnerability scanning, and proper RBAC. Use Kubernetes operators or Helm charts to manage lifecycle, and stay current with releases to benefit from fixes and new features.
To add an image to a Keycloak theme, create a theme folder and place your asset under themes/
Example layout: themes/mytheme/resources/images/mylogo.png. In a Freemarker/HTML template, reference it with:
<img src="${themeResourceUrl}/images/mylogo.png" alt="Logo"/>
Deploy by building a custom image that includes the theme, e.g.
FROM quay.io/keycloak/keycloak:latest
COPY themes/mytheme /opt/keycloak/themes/mytheme
Then set the realm Login Theme to mytheme (Realm Settings > Themes > Login Theme) or automate via your deployment pipeline. For production security, consider using a hardened Keycloak image.