Keycloak has an HTTP(S) proxy that you can put in front of web applications and services where it is not possible to install the Keycloak adapter. You can set up URL filters so that certain URLs are secured either by browser login and/or bearer token authentication. You can also define role constraints for URL patterns within your applications.

This chart bootstraps a Keycloak Proxy Deployment on a Kubernetes cluster using the Helm package manager. It provisions a fully featured Keycloak Proxy installation.




  • Supports role-based URI controls
  • Web Socket connection upgrading
  • Token claim matching for additional ACL controls
  • Custom claim injections into authenticated requests
  • Stateless offline refresh tokens with optional predefined session limits
  • TLS and mutual TLS support
  • JSON field bases access logs
  • Custom Sign-in and access forbidden pages
  • Forward Signed Proxy
  • URL Role Tokenization
  • Listen on unix sockets, proxy upstream to unix sockets
  • Let’s Encrypt support


Keep in mind browser cookie limits, if you use to access or refresh tokens in the browser cookie. Keycloak-proxy divides cookie automatically if your cookie is longer than 4093 bytes. The real size of the cookie depends on the content of the issued access token. Also, encryption might add additional bytes to the cookie size. If you have large cookies (>200 KB), you might reach browser cookie limits.

All cookies are part of the header request, so you might find a problem with the max headers size limits in your infrastructure (some load balancers have very low this value, such as 8 KB). Be sure that all network devices have sufficient header size limits. Otherwise, your users won’t be able to obtain the access token.

Tell us about a new Kubernetes application


Never miss a thing! Sign up for our newsletter to stay updated.


Discover and learn about everything Kubernetes