# Keycloak provider setup for Users & Permissions

> Source: https://docs.strapi.io/cms/configurations/users-and-permissions-providers/keycloak

Set up Keycloak as an identity provider for Strapi's Users & Permissions feature by configuring a client in Keycloak, then enabling and filling in the Keycloak provider details in Strapi's admin settings.

The present page explains how to setup the Keycloak provider for the [Users & Permissions feature](/cms/features/users-permissions).

:::prerequisites
You have read the [Users & Permissions providers documentation](/cms/configurations/users-and-permissions-providers).
:::

## Keycloak configuration

:::note
Keycloak accepts the `localhost` urls. <br/>
The use of `ngrok` is not needed.
:::

1. Visit your Keycloak admin dashboard
2. If you don't already have a realm, you'll want to create one
3. In the Clients section of your realm, create a new client
4. Under the capability config, ensure you set `Client Authentication` to on to ensure you can create a private key
5. Under the access settings, ensure you set the following values:
   - **Valid redirect URIs**: `http://localhost:1337/api/connect/keycloak/callback` and `http://localhost:1337/api/connect/keycloak`
   - **Allowed Web Origins**: `http://localhost:3000` and `http://localhost:1337`
6. In the Client Scopes section, ensure you have the `email` and `profile` scopes set to default
7. In the Client Scopes section, ensure you have the `openid` scope set to default, if you don't have this you will need to manually create it in the global Client Scopes

## Strapi configuration

1. Visit the User & Permissions provider settings page at [http://localhost:1337/admin/settings/users-permissions/providers](http://localhost:1337/admin/settings/users-permissions/providers)
2. Click on the **Keycloak** provider
3. Fill the information:
   - Enable: `ON`
   - Client ID: `<Your Keycloak Client ID>`
   - Client Secret: `<Your Keycloak Client Secret>`
   - Subdomain: `<Your Keycloak realm url>`, example is either `keycloak.example.com/realms/strapitest` or `keycloak.example.com/auth/realms/strapitest` **without the protocol before it**
   - The redirect URL to your front-end app: `http://localhost:3000/connect/keycloak/redirect`
   - (Optional) Set the JWKS URL if you have a custom JWKS URL, example is like `https://keycloak.example.com/auth/realms/strapitest/protocol/openid-connect/certs`

Your configuration is done.
Launch the backend and the [react login example application](https://github.com/strapi/strapi-examples/tree/master/examples/login-react), go to `http://localhost:3000` and try to connect to the provider you configured.

:::note Migration from Strapi v4
Strapi v4 extensions often registered Keycloak through `providersRegistry.register()`. That method is no longer available in Strapi 5.

In Strapi 5, call `add()` on the `providers-registry` service from the [`register()` function](/cms/configurations/functions#register) in `/src/index.js|ts`.

See the [custom provider guide](/cms/configurations/users-and-permissions-providers/new-provider-guide#creating-a-custom-provider) for details.

If you still call `register()` on the registry object, Strapi throws `TypeError: providersRegistry.register is not a function`.
:::