# keycloak

Identity provider for SSO across grafana, node-red, gitea, jenkins, portainer.

- **Networks**: `app` (OIDC endpoints for relying apps) + `mgmt` (admin console)
- **Storage**: stub uses bundled file storage; move to `sql` stack before production
- **TODO**: realm + client provisioning (kc.sh or terraform-keycloak), session/token lifetimes, theme branding