Authentication for Local Development
This guide covers how authentication works in the local development environment, including Keycloak setup and login procedures.
Keycloak Setup
Keycloak runs at http://localhost:8081 and is automatically configured with realm imports when you run make start-deps.
Keycloak Admin Console
- URL: http://localhost:8081
- Username:
admin - Password:
admin
Realms
| Realm | Purpose | Used by |
|---|---|---|
internal | Administrative users | Admin Panel |
customer | Bank customers | Customer Portal |
Realm definitions are stored in dev/keycloak/ and imported automatically on startup.
Admin Panel Login
- Navigate to http://admin.localhost:4455
- You'll be redirected to Keycloak
- Log in with: admin@galoy.io
- The admin panel uses the
internalKeycloak realm with OIDC Code Flow
Customer Portal Login
- First, create a customer via the Admin Panel
- Open http://app.localhost:4455 in a separate browser or incognito window
- Enter the customer's email address
- Retrieve the login code:
make get-customer-login-code EMAIL=customer@example.com
- Enter the code to complete login
The Customer Portal uses NextAuth with the Keycloak provider for OIDC authentication.
Authentication Flow
How Oathkeeper Works
Oathkeeper sits at port 4455 and handles all authentication:
- Receives incoming requests with Bearer JWT tokens
- Validates the JWT signature against Keycloak's JWKS endpoint
- Issues an internal JWT with route-specific audience and user subject
- Proxies the request to the appropriate upstream service (admin-server or customer-server)
The backend servers only accept internal JWTs from Oathkeeper — they verify using Oathkeeper's JWKS and check the audience claim.
Token Lifetimes (Development)
| Token | Lifetime |
|---|---|
| Access token | 5 minutes |
| Refresh token | 30 minutes |
| Session | 8 hours |