What Keycloak version do you use?

We deploy Keycloak 26.x (latest stable) for all new projects. For existing deployments, we offer migration paths from Keycloak 18+ (including the legacy WildFly-based versions) to the modern Quarkus-based distribution.

How long does a typical project take?

Simple implementations (passkeys, theming) take 5-10 business days. Multi-tenancy and HA clusters typically take 2-3 weeks. Full CIAM overhauls run 4-6 weeks. We provide exact timelines in our fixed-price proposals.

Can you migrate us from Okta, Auth0, or Firebase Auth?

Yes. We have battle-tested migration playbooks for Okta, Auth0, Firebase Auth, AWS Cognito, and Azure AD B2C. We handle user migration, session continuity, and social login re-linking with zero downtime.

What does 'fixed price' mean? Are there hidden costs?

Our quotes are all-inclusive. The price covers discovery, architecture, implementation, testing, deployment, documentation, and 30-day warranty support. Infrastructure costs (cloud hosting) are separate and transparently estimated upfront.

Do you offer ongoing managed services?

Yes. Our Managed Keycloak-as-a-Service starts at $1,800/month and includes 24/7 monitoring, patching, scaling, security updates, and incident response. Think of it as your dedicated Keycloak ops team without the hiring overhead.

Is Keycloak really enterprise-ready?

Absolutely. Keycloak is backed by Red Hat (IBM), powers thousands of enterprise deployments globally, and is the upstream for Red Hat SSO. It supports SAML 2.0, OIDC, LDAP/AD federation, and every enterprise SSO protocol you need.

What about vendor lock-in?

Zero. Keycloak is 100% open source (Apache 2.0). You own your deployment, your data, and your configuration. Everything we build is yours — full source code, Terraform configs, and documentation included in every project.

Do you work with our existing DevOps team?

Yes. We integrate seamlessly with your existing CI/CD pipelines, cloud infrastructure, and DevOps workflows. We provide Terraform/OpenTofu IaC, Helm charts, and comprehensive runbooks so your team can maintain the deployment independently.

Odoo SSO with Keycloak using OIDC

Introduction

Note: This add-on requires Odoo 16 or 17. Community and Enterprise editions are both supported.

Odoo's built-in OAuth provider module (auth_oauth) supports basic OAuth 2.0 flows but lacks proper OpenID Connect (OIDC) support — it does not validate ID tokens, does not map group claims, and does not handle token refresh. This guide uses a custom add-on that fills these gaps, giving you a standards-compliant OIDC flow with group synchronisation.

By the end of this guide, Odoo users will log in via your Keycloak realm, receive roles from their Keycloak group membership, and be transparently linked to their existing Odoo accounts by email.

Prerequisites

Keycloak 24+ running and accessible (HTTPS in production)
Odoo 16 or 17 (Community or Enterprise)
KeycloakPro's pre-built Keycloak image — includes this custom OIDC add-on plus 300+ pre-configured application integrations. Contact Us to get access.
Admin access to both Keycloak and Odoo
sudo access to the Odoo server

Step 1 — Configure Keycloak as OpenID Server.

Open the Keycloak admin console and navigate to your target realm (create one named odoo if you prefer isolation).

Navigate to the "App Gallery":

Search for "Odoo"
Client type: OpenID Connect
Click Next

Keycloak admin console: new OIDC client creation dialog showing Client type set to OpenID Connect and Client ID odoo-web — Create a new OIDC client in the Keycloak admin console

Keycloak Odoo client settings:

Odoo Instance URL: https://sales.example.com
Odoo Client ID: my-odoo
Click on "Review Configuration"

1.2 — Note your client secret and OpenID configurations:

Step 2 — Install the custom OIDC add-on

Copy the provided zip file to your Odoo server and extract it into the extra addons directory:

sudo cp keycloak_oidc.zip /mnt/extra-addons/
sudo unzip /mnt/extra-addons/keycloak_oidc.zip -d /mnt/extra-addons/
sudo chown -R odoo:odoo /mnt/extra-addons/keycloak_oidc

Restart the Odoo service to pick up the new module:

sudo systemctl restart odoo

Then in the Odoo backend:

Activate developer mode: Settings → General Settings → scroll to bottom → Activate developer mode
Apps → Update Apps List → Update
Search for Keycloak OIDC → Install

Step 3 — Configure the OAuth provider in Odoo

Navigate to Settings → Users & Companies → OAuth Providers and click New.

Odoo Settings: OAuth Providers list page showing the New button to add a provider — OAuth Providers list in Odoo Settings — create a new provider for Keycloak

Note: Refer to step 1.2 for the client secret and OpenID configuration values.

Field	Value
Provider name	`Keycloak`
Token Map	sub:user_id email:email preferred_username:username
Client ID	`my-odoo`
Client Secret	(paste from Keycloak credentials tab)
Allowed	✓
Login button label	`Employee Login`
Authorization URL	`Authorization URL from` step 1.2
Scope	`openid email profile`
UserInfo URL	`UserInfo URL from` step 1.2
Token URL	`Token URL from` step 1.2
JWKS URL	Copy from step 1.2
Data EndPoint	(leave empty — the add-on uses the ID token directly)
End Session URL	`Logout URL from` step 1.2

Note: groups scope is added by default in the Odoo application in KeycloakPro.

Click Save.

Step 4 — Map groups to Odoo access rights

The custom add-on reads the groups claim from the Keycloak ID token and looks up matching Odoo internal groups by Role Value.

Navigate to Settings → Users & Companies → OAuth Providers --> "Role mapping" --> Select "Keycloak" ( recently added provider) (added by the module):

Keycloak Groups showing telemarketing_member group mapped to telemarketing_member groups (Custom group used to manage permissions in Odoo) — Keycloak Group and Odoo Role mapping allows us to configure permissions that will be assigned to users in Odoo, these are checked each time a user logs in

Keycloak group path	Role Value	User Type	Groups	Home Actions
`groups`	telemarketing_member	Internal User	(Groups for managing permissions)	Post Login redirect page

Create one mapping row per Keycloak group you want to honour. Users in unmatched groups receive no additional Odoo rights.

Keycloak Groups showing telemarketing_member/admin/Sales group mapped to telemarketing_member/sales/admin groups (Custom group used to manage permissions in Odoo) — Example configurations showing mapping different keycloak group with different Roles/Groups in Odoo

Open an incognito browser window and navigate to https://odoo.example.com/web/login.

You should now see a Employee Login button below the standard login form.

Odoo login page showing the standard username/password form and a Log in with Keycloak button below it — The Keycloak SSO button appears alongside the standard Odoo login form

Click the button. You will be redirected to the Keycloak login page for the odoo realm. After authenticating, Keycloak redirects back to Odoo, which:

Validates the ID token signature against Keycloak's JWKS endpoint
Matches the email claim to an existing Odoo user (or creates a new portal user)
Applies group mappings
Logs you in

Successful login — the user session is backed by a valid Keycloak token

Step 6 — Troubleshooting common issues

`invalid_redirect_uri`

Keycloak is rejecting the redirect. Double-check that the Valid redirect URIs in the Keycloak client exactly match https://odoo.example.com/auth_oauth/signin — trailing slashes and port numbers matter.

Clock skew errors

OIDC tokens have short lifetimes. Ensure NTP is synchronised on both the Keycloak server and the Odoo server:

sudo timedatectl status
sudo chronyc tracking

Missing `email` claim

The email scope is required. Confirm it is in the Odoo provider scope field and that the Keycloak user account has a verified email address.

Nginx proxy misconfig

If Odoo sits behind Nginx, ensure the proxy passes the Host header correctly and sets X-Forwarded-Proto https:

proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

Step 7 — Production checklist

Before going live, verify:

HTTPS is enforced on both Keycloak and Odoo (no HTTP fallback)
ID token lifetime is set to 5 minutes in the Keycloak realm
Refresh token rotation is enabled (Keycloak realm settings → Sessions)
offline_access scope is NOT included unless you explicitly need offline tokens
Keycloak's access token max age aligns with your session timeout policy
Post-logout redirect URI is configured so users land back on the Odoo login page
Group mappings are tested with a user who is not an Odoo admin
SSO is tested from a fresh browser (no existing Odoo session cookies)

Need help integrating Odoo with Keycloak?

We deliver production-ready Odoo + Keycloak integrations in 1–3 weeks.

Fixed-price, zero vendor lock-in, full source code ownership.

Book a free 30-min call See integration packages