Keycloak: Messages Realm¶
Realm Configuration¶
{
"realm": "messages",
"displayName": "Messages",
"enabled": true,
"sslRequired": "external",
"registrationAllowed": false,
"loginWithEmailAllowed": true,
"defaultSignatureAlgorithm": "RS256"
}
Clients¶
messages (Public OIDC Client)¶
| Setting | Value |
|---|---|
| Client ID | messages |
| Client Secret | <generate> |
| Redirect URIs | https://messages.<domain>/*, https://api.messages.<domain>/* |
| Web Origins | https://messages.<domain>, https://api.messages.<domain> |
| Post Logout Redirect URIs | Same as redirect URIs |
| Standard Flow | Enabled |
| Front Channel Logout | Enabled |
rest-api (Service Account)¶
Used by the Messages backend to manage Keycloak users and groups:
| Setting | Value |
|---|---|
| Client ID | rest-api |
| Client Secret | <generate> |
| Service Accounts | Enabled |
| Authorization | Enabled |
Service account roles:
- realm-management: query-users, manage-users, view-users
Groups¶
Messages creates Keycloak groups for mail domains. When a mail domain is created in Messages admin, a group /maildomain-<domain> is created in Keycloak. Users are added to these groups to grant mailbox access.
Environment Mapping¶
The Messages .env maps to these values: