What Keycloak version do you use?

We deploy Keycloak 26.x (latest stable) for all new projects. For existing deployments, we offer migration paths from Keycloak 18+ (including the legacy WildFly-based versions) to the modern Quarkus-based distribution.

How long does a typical project take?

Simple implementations (passkeys, theming) take 5-10 business days. Multi-tenancy and HA clusters typically take 2-3 weeks. Full CIAM overhauls run 4-6 weeks. We provide exact timelines in our fixed-price proposals.

Can you migrate us from Okta, Auth0, or Firebase Auth?

Yes. We have battle-tested migration playbooks for Okta, Auth0, Firebase Auth, AWS Cognito, and Azure AD B2C. We handle user migration, session continuity, and social login re-linking with zero downtime.

What does 'fixed price' mean? Are there hidden costs?

Our quotes are all-inclusive. The price covers discovery, architecture, implementation, testing, deployment, documentation, and 30-day warranty support. Infrastructure costs (cloud hosting) are separate and transparently estimated upfront.

Do you offer ongoing managed services?

Yes. Our Managed Keycloak-as-a-Service starts at $1,800/month and includes 24/7 monitoring, patching, scaling, security updates, and incident response. Think of it as your dedicated Keycloak ops team without the hiring overhead.

Is Keycloak really enterprise-ready?

Absolutely. Keycloak is backed by Red Hat (IBM), powers thousands of enterprise deployments globally, and is the upstream for Red Hat SSO. It supports SAML 2.0, OIDC, LDAP/AD federation, and every enterprise SSO protocol you need.

What about vendor lock-in?

Zero. Keycloak is 100% open source (Apache 2.0). You own your deployment, your data, and your configuration. Everything we build is yours — full source code, Terraform configs, and documentation included in every project.

Do you work with our existing DevOps team?

Yes. We integrate seamlessly with your existing CI/CD pipelines, cloud infrastructure, and DevOps workflows. We provide Terraform/OpenTofu IaC, Helm charts, and comprehensive runbooks so your team can maintain the deployment independently.

Keycloak Facebook Identity Provider: Social Login Setup

Introduction

Facebook uses OAuth 2.0, not OIDC. There's no id_token, and profile data comes from the Graph API rather than a standard userinfo endpoint. Keycloak's built-in Facebook provider handles these differences for you — you provide the App ID and App Secret, and Keycloak takes care of the rest.

Users see a "Continue with Facebook" button on your Keycloak login page. After they authenticate with Facebook, Keycloak creates a local account on their first login and links it to their Facebook identity.

How identity brokering works

The login flow goes: user clicks "Continue with Facebook" → Keycloak redirects to Facebook → user authorizes your app → Facebook sends an authorization code to Keycloak's broker endpoint → Keycloak fetches profile data from the Graph API → Keycloak creates or links the user → user lands in your application.

Your application only talks to Keycloak. The Facebook access token stays inside Keycloak. The redirect URI you register in the Meta app is:

https://keycloak.example.com/realms/YOUR_REALM/broker/facebook/endpoint

Prerequisites

Keycloak 24+ running on HTTPS
A Keycloak realm with admin access
A Meta developer account at developers.facebook.com
A Facebook Business or personal account to own the app

Step 1 — Create a Meta app

In the Meta Developer Portal:

My Apps → Create App
Use case: Authenticate and request data from users with Facebook Login (Consumer apps)
App name: something that identifies your service to users (they see this on the authorization screen)
App contact email: your support email
Business account: optional for social login, required for some permissions

Click Create app.

Meta Developer Portal Create App page showing Use case options with the Authenticate and request data option selected, an App name field, and App contact email field — The use case you pick here determines which products are pre-added to the app — Consumer apps include Facebook Login by default

If Facebook Login isn't already listed under Add products to your app:

On the app dashboard, click Add Product
Find Facebook Login → click Set up
Platform: Web
Site URL: https://keycloak.example.com → click Save

Step 3 — Configure Valid OAuth redirect URIs

In the left sidebar:

Facebook Login → Settings
Valid OAuth Redirect URIs → add: https://keycloak.example.com/realms/YOUR_REALM/broker/facebook/endpoint
Click Save changes

Meta Facebook Login Settings page showing the Valid OAuth Redirect URIs field with the Keycloak broker endpoint URL added — The redirect URI must match exactly — Meta checks path and scheme. Add the production URI here even if you're testing locally first

Step 4 — Copy the App ID and App Secret

In the app settings:

App settings → Basic
Copy the App ID (shown at the top)
Click Show next to App Secret, confirm with your Facebook password, then copy

Meta App Settings Basic page showing the App ID field at the top and the App Secret field with a Show button — The App Secret is hidden by default — you need to reauthenticate to view it

Step 5 — Add Facebook as an Identity Provider in Keycloak

In the Keycloak admin console:

Select your realm
Identity Providers → Add provider → Facebook
Client ID: paste the App ID from Step 4
Client Secret: paste the App Secret from Step 4
Default Scopes: email public_profile (Keycloak sets this for the Facebook provider)

Click Add.

Keycloak admin console Identity Providers page showing the Facebook provider configuration with Client ID set to the Meta App ID and Client Secret set to the App Secret — The built-in Facebook provider handles the Graph API call automatically — you don't need to set up userinfo URLs manually

Step 6 — Configure attribute mappers

Open Identity Providers → Facebook → Mappers. Keycloak's built-in Facebook provider creates default mappers:

Facebook field	Keycloak user attribute
`id`	External user ID (identity link)
`email`	email
`name`	full name

Facebook's first_name and last_name fields are available from the Graph API response. To populate Keycloak's firstName and lastName attributes, add mappers manually:

Mappers → Add mapper
Mapper type: Attribute Importer
Name: first_name
Claim: first_name
User Attribute Name: firstName
Save

Repeat for last_name → lastName.

Keycloak Identity Provider Mapper creation form showing Attribute Importer type with Claim set to first_name and User Attribute Name set to firstName — Facebook's field names use underscores — first_name and last_name — while Keycloak's built-in attribute names use camelCase

In Identity Providers → Facebook → Settings → First Login Flow, the default first broker login flow:

Shows the user a profile review page (name, email) on first login
Checks if a Keycloak account already exists with the same email
If a match exists, offers account linking
If no match, creates a new Keycloak user

Important note on Facebook emails: Not all Facebook accounts have a verified email address. If a user's Facebook account has no email, the email attribute will be blank in Keycloak. The first broker login flow prompts the user to enter an email in that case.

Set Sync Mode:

import — copy Facebook attributes on first login only
force — overwrite Keycloak attributes from Facebook on every login

Keycloak Facebook Identity Provider Settings showing First Login Flow set to first broker login and Sync Mode set to import — The first broker login flow handles the case where a user already has a Keycloak account with the same email — they're prompted to link the accounts

Step 8 — Switch the app to Live mode

While the app is in Development mode, only accounts listed in the app's Roles (Administrators, Developers, Testers) can log in. External users see an error.

To allow any Facebook user:

App Settings → Basic → scroll to App Mode
Click Go Live (or toggle the switch in the header)
You need a privacy policy URL and (for some apps) an icon

Meta app header showing the App Mode switch in the off position with a Go Live button and a note that the app is currently in development mode — Development mode restricts login to app team members only — switch to Live before opening to users

For apps that only request email and public_profile, Meta typically approves Go Live without additional review.

Open a private browser window and go to your Keycloak realm login page. A Continue with Facebook button appears.

Keycloak login page showing the username and password form with a Continue with Facebook button below — The button text defaults to the provider display name — customizable in Identity Providers settings

After authenticating with Facebook, Keycloak shows the review profile page on first login, then sends the user to your application. Verify the federated account: Keycloak admin → Users → find the user → Identity Provider Links tab.

Keycloak User detail page Identity Provider Links tab showing a Facebook row with the provider alias facebook and the Facebook user ID as the external user ID — The external user ID is the Facebook numeric user ID — unique per user and never reused

Troubleshooting common issues

"App Not Set Up" from Facebook

The app is in Development mode and the login attempt is from an account that isn't an app administrator, developer, or tester. Either add the account to the app's roles in Meta Developer Portal → Roles, or switch the app to Live mode.

"URL Blocked: This redirect failed because the redirect URI is not whitelisted"

The exact redirect URI in Facebook Login → Settings → Valid OAuth Redirect URIs doesn't match what Keycloak sends. The correct URI format is:

https://keycloak.example.com/realms/YOUR_REALM/broker/facebook/endpoint

Copy this directly from Keycloak: Identity Providers → Facebook → Redirect URI field in the settings panel.

User can log in but email is blank

Facebook accounts don't require a verified email address. If the user's Facebook account has no email, the email claim won't be in the response. The first broker login flow will prompt for an email. You cannot force Facebook to provide an email.

You need the attribute mappers from Step 6. The default mappers don't include first_name and last_name. Add the two Attribute Importer mappers and test with a new login (or force a profile sync by setting Sync Mode to force).

"permissions" error from Facebook

If you added non-default permissions to your app (beyond email and public_profile), Meta requires app review for those permissions before they work for Live mode users. Remove additional permissions if you don't need them, or complete the Meta app review process.

Production checklist

App in Live mode — Development mode blocks all non-team users
App Secret stored outside source control
Privacy policy URL configured in the Meta app (required for Go Live)
Redirect URI in Meta matches Keycloak's broker endpoint exactly
Handling for accounts without a Facebook email (first broker login flow prompts for it)
first_name and last_name mappers added if your application uses these attributes
Sync Mode chosen deliberately: import or force
App review not required for email and public_profile — only for additional permissions

Need help integrating Facebook with Keycloak?

We deliver production-ready Facebook + Keycloak integrations in 1–3 weeks.

Fixed-price, zero vendor lock-in, full source code ownership.

See integration packages