AiStrike Documentation

Keycloak

Create a service account (client) in Keycloak, assign it a read-only role, and retrieve the client secret so AiStrike can authenticate via API.

Prerequisites

  • Admin access to the Keycloak Admin Console for the relevant realm (to create clients, roles, and assignments).

  • The realm name where the service account will live.

  • Network access to the Keycloak server from AiStrike public IPs: 3.135.165.25/32, 3.148.24.98/32, 52.15.138.222/32.

Step 1: Log in

Open the Keycloak Admin Console (e.g. https://your-keycloak-domain/auth/admin/) and log in with an admin account.

Step 2: Create a client (service account)

  1. Go to Clients > Create client.

  2. General settings: Client ID AiStrike-Service-Account, protocol openid-connect, add a description. Click Next.

  3. Capability config: enable Client authentication and the Authentication toggle; leave other settings default. Click Next.

  4. Login settings: leave all fields blank and click Save.

Step 3: Create a read-only role

Open the new client, go to the Roles tab, click Create Role, name it AiStrike-read-only-role, and save.

Step 4: Assign read-only permissions

Assign these read roles: view-applications, view-consent, view-groups, view-profile, read-token, query-clients, query-groups, query-realms, query-users, view-authorization, view-clients, view-events, view-identity-providers, view-realm, view-users.

Step 5: Assign the role to the service account

Go to Clients > AiStrike-Service-Account > Service Account Roles and assign AiStrike-read-only-role (or the corresponding read roles).

Step 6: Retrieve the client secret

On the client page, open the Credentials tab and copy the Client Secret securely.

Provide to AiStrike

  • Full Keycloak URL (e.g. https://your-keycloak-domain/auth)

  • Realm name

  • Service account (client) name: AiStrike-Service-Account

  • Client secret