KubeQuest

Appearance

Auth Protocol LabOAuth 2.0 & OIDC with Keycloak

Hands-on labs for every major authentication flow -- built with Go, React, and Terraform

Get Started
Architecture
Roadmap
GitHub
Authentication Flow
🔐

Keycloak 26.2

Enterprise IdP with OAuth 2.0, OIDC, and SAML support. Shared across all labs.

Go Resource Server

chi router, golang-jwt, and JWKS-based token validation per lab.

⚛️

React 19 SPA

Vite, Tailwind, React Router 7. Each lab ships its own client with flow visualization.

🏗️

Terraform IaC

mrparkers/keycloak provider. Shared realm config + per-lab client and scope definitions.

🐳

Multi-Lab Architecture

Shared infrastructure starts once. Each lab joins the network with its own compose file.

📚

Educational First

Step-by-step flow diagrams, token inspection, and security callouts in every lab.

Labs

Each lab is a self-contained implementation of a specific authentication flow. Shared infrastructure (Keycloak, Postgres, MinIO, Terraform) runs once; labs connect to the auth-lab Docker network.

Implemented

LabFlowDirectoryStatus
01Authorization Codelabs/01-authorization-code/Complete

Planned

LabFlowDescription
02Auth Code + PKCEProof Key for Code Exchange for public clients
03Client CredentialsMachine-to-machine with no user context
04Implicit (Deprecated)Educational -- why this flow was replaced by PKCE
05ROPCResource Owner Password Credentials -- legacy migration
06Device AuthorizationLimited-input devices (TVs, IoT, CLIs)
07Refresh TokensToken rotation, revocation, sliding sessions
08Dex FederationIdentity brokering with upstream connectors
09SAML 2.0Enterprise SSO with SAML assertions
10Social LoginGoogle, GitHub, Microsoft via Keycloak
11BFF PatternBackend-for-Frontend secure token handling
12API GatewayCentralized auth with Kong or Traefik

Separate Projects

Azure Entra ID and AWS Cognito labs live in their own repositories. See the Roadmap for details.

Quick Start

Step 1: Start Shared Infrastructure

bash
cd authentication/infrastructure
docker compose up -d

This starts Keycloak, PostgreSQL, MinIO, and the Terraform container. Wait for Keycloak to become healthy (~60s).

Step 2: Apply Shared Terraform

bash
docker exec -it terraform-auth zsh
cd /home/developer/workspace/keycloak
terraform init && terraform apply -auto-approve

This creates the auth-server realm, the owner user, and shared roles.

Step 3: Start a Lab

bash
cd authentication/labs/01-authorization-code
docker compose up -d

Each lab has its own docker-compose.yaml that joins the auth-lab network.

Step 4: Apply Lab Terraform (if applicable)

bash
# Still inside the terraform container
cd /home/developer/workspace/labs/01-authorization-code/terraform
terraform init && terraform apply -auto-approve

This registers the lab-specific OIDC client and scopes.

Step 5: Open the App

Navigate to http://localhost:5173 and log in with owner / owner.

TIP

Run docker compose ps in both the infrastructure/ and lab directories to verify all containers are healthy before testing.

Service Map

ServicePortScopeDescription
Keycloak8080SharedIdentity Provider
PostgreSQL5432SharedKeycloak database
MinIO9000/9001SharedTerraform state backend
Terraform--SharedIaC container (exec into it)
React Client5173Per-labFrontend SPA
Go Backend8081Per-labResource server with JWT validation

Released under the MIT License.

Copyright © 2026 OpsAlchemy