Tags: security, keycloak, logging


Keycloak is a very versatile identity provider that enables numerous integration scenarios.


In some cases additional research, investigation and troubleshooting is required to enable one or another integration.

One of the main tools Keycloak provides for that is logging.


By default Keycloak logging is set to INFO level.


Log level can be increased globally or for specific log categories via environment variables that can be set in Keycloak StatefulSet in the system cluster.


As an example add the following snippet into Keycloak StatefulSet in the env section (with proper indentation) of keycloak container and wait for Keycloak pods to restart:


- name: KEYCLOAK_EXTRA_ARGS
  value: --log-level=info,org.keycloak.services.resources.IdentityBrokerService:debug


This example shows how to increase log level to DEBUG for org.keycloak.services.resources.IdentityBrokerService log category while keeping global log level at INFO.


This specifically helps troubleshoot issues with external SAML and OIDC identity providers integration.


The following article describes in more details how Keycloak logging can be configured via this parameter:

https://www.keycloak.org/server/logging