Phase Two Admin Portal

June 4, 2026 ยท View on GitHub

:rocket: Try it for free in Phase Two's Keycloak as a service.

Phase Two Admin Portal

More self-serve. More better.

The Phase Two Admin Portal ties together functionality from the Keycloak Account Console and Phase Two Organizations to allow your customers' users to self-manage as much of their account and organization functionality as is possible.

The Portal is deployed as a Keycloak extension, much like the Account Console, and is available at https://{host}/{relative-path}/realms/{realm}/portal/. Note that we are considering making this a drop-in replacement for the Account Console that can be selected simply in Realm Settings->Themes, but this would make it impossible to use both at the same time.

ezgif-4-811bfaae78

Quick start

The easiest way to get started is our Docker image. Documentation and examples for using it are in the phasetwo-containers repo. The most recent version of this extension is included.

docker run --name phasetwo_test --rm -p 8080:8080 \
    -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -e KC_HTTP_RELATIVE_PATH=/auth \
    quay.io/phasetwo/phasetwo-keycloak:$VERSION \
    start-dev --spi-email-template-provider=freemarker-plus-mustache --spi-email-template-freemarker-plus-mustache-enabled=true

Configuration

Requirements

Because this extension relies on the APIs provided by the keycloak-orgs extension, it is required to deploy them in the same Keycloak.

Visibility

Most of the visibility of functionality in the Portal is controlled by user permissions. However, it is also possible to control visibility through Realm Attributes. These attributes may be set manually, or by using the Phase Two extensions to the Keycloak Admin UI (Styles->Portal tab), which must also be installed in the same Keycloak.

image

When setting the attributes manually, the values are:

KeyDescriptionDefault
_providerConfig.portal.profile.enabledProfile section (whole)true
_providerConfig.portal.profile.password.enabledPassword updatetrue
_providerConfig.portal.profile.twofactor.enabled2fa create/updatetrue
_providerConfig.portal.profile.activity.enabledDevice activitytrue
_providerConfig.portal.profile.linked.enabledLinked accountstrue
_providerConfig.portal.org.enabledOrganizations section (whole)true
_providerConfig.portal.org.details.enabledDetails edittrue
_providerConfig.portal.org.members.enabledMembers listtrue
_providerConfig.portal.org.invitations.enabledInvitationstrue
_providerConfig.portal.org.domains.enabledDomainstrue
_providerConfig.portal.org.sso.enabledSSO (requires idp-wizard extension)true
_providerConfig.portal.org.events.enabledEventstrue

Style

It is also possible to add branding to the portal. It is recommended these, along with logos, are set through the Phase Two extensions to the Keycloak Admin UI, as there are other options there that are reused in Login forms styling, and the UI extensions also ensure that the attributes are set with appropriate values.

These style keys are built off of the Tailwind color formatting. The order of lowest color being lightest and highest color being darkest.

The keys specific to the Portal are:

KeyDescriptionDefault
_providerConfig.assets.portal.primary100Primary color - 100[empty]
_providerConfig.assets.portal.primary200Primary color - 200[empty]
_providerConfig.assets.portal.primary400Primary color - 400[empty]
_providerConfig.assets.portal.primary500Primary color - 500[empty]
_providerConfig.assets.portal.primary600Primary color - 600[empty]
_providerConfig.assets.portal.primary700Primary color - 700[empty]
_providerConfig.assets.portal.primary900Primary color - 900[empty]
_providerConfig.assets.portal.secondary800Secondary color - 800[empty]
_providerConfig.assets.portal.secondary900Secondary color - 900[empty]
_providerConfig.assets.portal.cssCSS override[empty]

If you are looking to generate custom css styles, use the following as a guideline. The UI currently only uses two generated styles from the colors:

    .text-primary-100 { color: ${colorValue}; }
    .bg-primary-100 { background-color: ${colorValue}; }

where ${colorValue} is whatever you decide as the value and the suffix can change as needed (i.e. primary-100 becomes primary-200 and so on).

Developers

Getting Started

First, setup:

yarn

Then, start a Keycloak server (use hosted Phase Two for easy testing), create a public OIDC client with http://localhost:3000 Root URL, and update the public/keycloak.json file with the client config.

Also update the initialEnvironment object in src/config.ts to reflect your local configuration. This fallback config is used when a runtime environment object is not injected, so values such as realm, authServerUrl, baseUrl, and supportedLocales should match your setup.

Finally, run the development server:

yarn dev

You mill most likely need to use the fully qualified portal url http://localhost:3000/auth/realms/master/portal.

Build the extension

mvn clean package

Put the jar in target/admin-portal-{version}.jar in the providers/ directory of your Keycloak distribution.

Code formatting

The build enforces Google Java formatting standards via Spotless. Use mvn spotless:check to verify formatting and mvn spotless:apply to fix it.

To enforce formatting automatically before every push, install the provided git pre-push hook:

mvn spotless:install-git-pre-push-hook

When you push, the hook runs spotless:check. If violations are found, it automatically runs spotless:apply, aborts the push, and lets you review and commit the formatted files before retrying.


All documentation, source code and other files in this repository are Copyright 2023 Phase Two, Inc.