Keycloak Identity Flow Automation

Enterprise services using Keycloak as the identity provider across multiple environments. Work focused on automation, configuration consistency, and failure prevention - not on building an independent authentication product.

Authentication failures appeared intermittently across environments with no obvious pattern, and identity-provider configuration was drifting between environments.

• Could not change the identity-provider product itself
• Could not store secrets or realm exports in source control without sanitisation
• Validation had to run from CI/CD without manual setup per environment

Implemented and contributed to

Automated Keycloak workflows via REST APIs, shell scripting, and Cypress; investigated intermittent auth failures and standardised configuration across environments.

• Automated authentication-flow validation using REST APIs and Cypress
• Scripted realm, client, and role setup via the Keycloak Admin REST API
• Compared logs and configuration across environments to isolate failures
• Identified mismatched client configuration and redirect URIs as a root cause
• Standardised the affected configuration across environments
• Added CI/CD validation checks to catch the same class of failure earlier

• Realm export/import files checked into source control (rejected because exports contain environment-specific secrets and credentials)
• Keeping configuration manual but writing a runbook (rejected because runbooks do not catch drift between environments)

• Redirect URI mismatches that only failed under specific browser cookie states
• Token-exchange flows that succeeded on the second attempt and masked the underlying misconfiguration
• Realm imports failing silently when a role already existed with the same name

• Keycloak
• REST APIs
• OIDC
• Cypress
• Shell scripting
• GitLab CI

• Tracing intermittent failures across services and environments
• Keeping identity-provider configuration consistent as environments evolved

Configuration-driven authentication failures became much rarer after standardising realm and client setup and adding CI/CD validation checks. Environment-to-environment drift was caught earlier in the release process.

In this system, several recurring authentication failures were caused by configuration drift rather than by the authentication implementation itself. Automating the configuration is more valuable than writing more tests against the authentication flow itself.

I would add an explicit environment-diff report that compares realm and client configuration across environments on every pipeline run, so drift surfaces visually rather than only via failing flows.