Keycloak
Keycloakidentity4 credentials
Bootstrap Admin Password
keycloak / bootstrap-admin-password
Keycloak container deployments bootstrap an administrator with environment variables. Keycloak documents KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD for the initial admin user when starting a container.
Location
KC_BOOTSTRAP_ADMIN_USERNAME, KC_BOOTSTRAP_ADMIN_PASSWORD, KEYCLOAK_ADMIN, KEYCLOAK_ADMIN_PASSWORD/adminKeycloak Admin Console login
Kubernetes Secrets, container environment secrets, Helm values, and cloud secret managers
Docker Compose files, Helm charts, tests, and committed deployment manifests
container startup logs and provisioning output
Notes
The documented admin/change_me values are examples, not shipped universal defaults. Treat the bootstrap password as deployment-specific.
Database Credentials
keycloak / database-credentials
Keycloak supports external databases and container documentation shows database configuration through KC_DB, KC_DB_URL, KC_DB_USERNAME, and KC_DB_PASSWORD. These credentials back the Keycloak realm and user store.
Location
KC_DB_USERNAME, KC_DB_PASSWORD, KC_DB_URLkeycloak.conf, Docker Compose files, Helm values, and operator custom resources
Kubernetes Secrets, cloud secret managers, and database password vault entries
committed container definitions, test configs, and deployment manifests
database connection errors and startup traces
Notes
Database access can expose realm configuration, users, credential hashes, clients, sessions, and identity-provider configuration.
OIDC Client Secret
keycloak / client-secret
Keycloak OpenID Connect confidential clients use client credentials. Keycloak documents confidential client credentials and client secret rotation policies in the server administration guide.
Location
Keycloak realm database storing client configuration and credentials
KEYCLOAK_CLIENT_SECRET, OIDC_CLIENT_SECRETapplication config, adapter config, .env files, and deployment manifests
Kubernetes Secrets, cloud secret managers, CI/CD variables, and app secrets
committed adapter configs, examples, tests, and Helm values
token exchange traces and OIDC client debug logs
Notes
A client secret can authenticate the application to Keycloak token endpoints and should be rotated if exposed.
Realm Signing Private Key / Keystore Secret
keycloak / realm-signing-key
Keycloak realms use keys to sign tokens and can load or rotate generated key pairs and Java keystores. Private keys and keystore passwords protect token signing material.
Looks like
pattern-----BEGIN (?:RSA |EC |)PRIVATE KEY-----Location
Keycloak realm key provider and component configuration
Java keystores, realm exports, key provider config, and deployment manifests
Kubernetes Secrets, HSM/KMS-backed stores, Java keystores, and cloud secret managers
committed realm exports, test keys, and container build contexts
Notes
Signing private keys can mint tokens trusted by clients for the affected realm until keys are rotated and clients refresh metadata.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.