Introduction
In a scenario you have to write report for your boss, you imagine that your boss needs a dashboard, and you are not Data Engineer or Developer. You would be going to vibe code and you have streamlit as keyword. After that you need to show your report to your boss, but your boss is a security guy, he/she ask you to add authentication to your report. So you need to add authentication to your report. Basic auth is not enough even if it is only for internal users. Then you have an existing Keycloak cluster in your company. So you just need to create new realm in Keycloak for your application then make your application integrate with Keycloak. This article will show you how to do it and for me to remember xD
We will use Keycloak as the identity provider and Streamlit as the application. We will use OIDC (OpenID Connect) protocol to integrate them.
Step lists:
- Create new realm
- Create new client
- Create sample user
- Create sample streamlit application
- Integrate them
Prerequisites
- Docker & Docker Compose
- Python 3.12 (verified with this demo)
Sample Streamlit Application
Just clone this ready to run repo and follow the README.md to run it: https://github.com/BlackMetalz/streamlit-authentication-with-keycloak-sample
Hmm, last step streamlit run will fail because we haven't set up Keycloak yet. So we need to set up Keycloak first xD
Keycloak Setup
For a god damn easy way, you will want to use docker compose to run Keycloak. Source here: Keycloak26+Postgres18
services:
postgres:
image: postgres:18
container_name: postgres_keycloak
volumes:
- postgres_data:/var/lib/postgresql
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: super_secret_password
ports:
- "5432:5432"
healthcheck: # it should be ready before keycloak starts
test: ["CMD-SHELL", "pg_isready -U keycloak -d keycloak"]
interval: 10s
timeout: 5s
retries: 5
keycloak:
image: quay.io/keycloak/keycloak:26.1
container_name: keycloak_server
command: start-dev
environment:
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://postgres:5432/keycloak
KC_DB_USERNAME: keycloak
KC_DB_PASSWORD: super_secret_password
KC_BOOTSTRAP_ADMIN_USERNAME: admin
KC_BOOTSTRAP_ADMIN_PASSWORD: admin@123
ports:
- "8080:8080"
depends_on:
postgres:
# Document about service_healthy here: https://docs.docker.com/compose/how-tos/startup-order/
condition: service_healthy
volumes:
postgres_data:
You can simply use it by running command: docker compose up. Then you will have a ready Keycloak instance at http://localhost:8080.
Create new realm for testing purpose
Who test at master realm? No one, not even me xD
URL to create new realm: http://localhost:8080/admin/master/console/#/master/add-realm

Create new client
URL: http://localhost:8080/admin/master/console/#/kienlt-demo/clients/add-client
Image for easy to follow:



Note: In the screenshot, the Valid redirect URI is incorrect. Please set it to http://localhost:8501/*
Copy client secret and paste to .env file

# Set to "false" to disable Keycloak authentication (guest mode)
AUTH_ENABLED=false
# Keycloak Configuration
KEYCLOAK_URL=http://localhost:8080
KEYCLOAK_REALM=myrealm
KEYCLOAK_CLIENT_ID=streamlit-app
KEYCLOAK_CLIENT_SECRET=your-streamlit-app-secret
REDIRECT_URI=http://localhost:8501
Test login directly
Holy shiet, create a test account first!


Ok, time to log in. It will pop up the default Keycloak login page. And here is the result after logging in:

Success! Welcome to my dashboard xD
Conclusion
This is just a solution that fits a specific scenario, that is I don't want to manage any external database, the purpose is just for internal users, not for public. Simple and easy to implement since it needed to ship this dashboard fast with requirements changing daily....