Extensions Management

Extensions let you customize and enhance your Keycloak deployment by adding features beyond what Keycloak provides out of the box. From the deployment page, you can browse available extensions, install them, and manage the extensions already running on your deployment.

Before installing your own extensions on a deployment, you must first upload and validate them from My Extensions.

How to access deployment extensions?

1. Open Cloud-IAM console
2. Select the Keycloak deployment you want to manage
3. Navigate to the Extensions section

From here, you can browse three tabs:

• Installed — extensions currently installed on this deployment
• My Extensions — your organization's custom extensions
• Marketplace — extensions published by Cloud-IAM and other organizations

Cloud-IAM Console - Deployment Extensions

How to install an extension from my organization?

Before installing, ensure your extension has at least one validated release compatible with your deployment's current Keycloak version. See My Extensions to upload and validate your extensions.

1. Follow this tutorial to access deployment extensions
2. Click on the My Extensions tab
3. Select the extension to install (a drawer will appear with the extension details)
4. Click on Install
5. Choose whether to Apply now or Defer the installation
6. Click on Install to confirm

After 5–10 minutes, while your Keycloak deployment redeploys via the rolling upgrade process, the extension will be active on your deployment.

When to use the defer option?

Deferring is useful when additional configuration is needed before the extension runs, such as setting environment variables in the Keycloak admin console. It also allows you to batch multiple extension installations into a single redeployment.

Cloud-IAM Console - Install extension

How to install an extension from the Marketplace?

Marketplace extensions are published by Cloud-IAM or other organizations and can be free or paid. Unlike extensions from My Extensions, where your organization owns the code and manages releases, Marketplace extensions are fully maintained by their publisher — you simply install and use them.

1. Follow this tutorial to access deployment extensions
2. Browse by category (e.g. Authentication, Authorization) or search for a specific extension
3. Select the extension to install (a drawer will appear with the extension details)
4. Click on Install
5. Choose whether to Apply now or Defer the installation
6. Click on Install to confirm

After 5–10 minutes, while your Keycloak deployment redeploys via the rolling upgrade process, the Marketplace extension will be active on your deployment.

Cloud-IAM Console - Install extension from marketplace

How to update an installed extension?

When a new release is available for an extension already installed on your deployment, it appears with an Update available badge in the Installed tab. This happens when a newer validated release compatible with your deployment's current Keycloak version is published — either in My Extensions for your own extensions, or by the publisher for Marketplace extensions.

1. Follow this tutorial to access deployment extensions
2. Click on the Installed tab
3. Select the extension with an available update — a details panel will open on the right
4. Click on Update
5. Choose whether to Apply now or Defer the update
6. Click on Update to confirm

After 5–10 minutes, while your Keycloak deployment redeploys via the rolling upgrade process, the new release will be active on your deployment.

When would you update an extension?

Common reasons to publish a new release and update an installed extension include:

• Bug fixes or security patches
• New features or enhancements
• Compatibility updates for newer Keycloak versions
• Performance improvements
• Configuration or SPI changes

Cloud-IAM Console - Update extension

How to uninstall an extension?

If an extension is no longer needed on your deployment, you can remove it directly from the Cloud-IAM Console. Uninstalling removes the extension from your Keycloak deployment but does not delete it from your organization's My Extensions library.

1. Follow this tutorial to access deployment extensions
2. Click on the Installed tab
3. Select the extension you want to remove (a details panel will open on the right)
4. Click on Uninstall
5. Choose whether to Apply now or Defer the removal
6. Click on Uninstall to confirm

After 5–10 minutes, while your Keycloak deployment redeploys via the rolling upgrade process, the extension will be removed from your deployment.

This action cannot be undone

Once the redeployment is complete, the extension and any associated configuration will be removed from your Keycloak deployment. If you need the extension again later, you can reinstall it at any time.

Cloud-IAM Console - Uninstall extension

How to get the deployment ID?

1. Open Cloud-IAM console
2. Select the Keycloak deployment where you want to upload the custom extension
3. In the summary section, copy the Deployment ID.

Cloud-IAM Console - Get the deployment ID

How to install extensions on a deployment?

1. Obtain a Bearer token using a Service Account
2. Obtain your Deployment ID
3. Obtain your Extension ID
4. Execute this command while replacing your Deployment ID and your Extension ID.

curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "extensionIds": ["ext-001", "ext-002"],
    "applyNow": true
  }' \
  "https://api.cloud-iam.com/deployments/{deploymentId}/marketplace/extensions"

Request body fields:

• extensionIds (required) — list of extension IDs to install
• applyNow (required) — set to true to trigger a redeployment immediately, or false to install without applying

TIP

Returns 204 No Content on success.

WARNING

The deployment must be in a RUNNING state. The request will fail if the deployment is not running.

How to list installed extensions on a deployment?

1. Obtain a Bearer token using a Service Account
2. Obtain your Deployment ID
3. Execute this command while replacing your Deployment ID:

curl -s \
  -H "Authorization: Bearer $TOKEN" \
  "https://api.cloud-iam.com/deployments/{deploymentId}/marketplace/extensions"

Returns a paginated list of extensions installed on the deployment, including whether an update is available for each one.

How to update an extension on a deployment through Cloud-IAM API?

When a newer compatible release is available (updateAvailable: true), you can update the extension via the API.

1. Obtain a Bearer token using a Service Account
2. Obtain your Deployment ID
3. Obtain your Extension ID
4. Execute this command while replacing your Deployment ID and your Extension ID:

curl -s -X PUT \
  -H "Authorization: Bearer $TOKEN" \
  "https://api.cloud-iam.com/deployments/{deploymentId}/marketplace/extensions/{extensionId}?apply=true"

Query parameters:

• apply — set to true to trigger a redeployment immediately (default: true)

TIP

Returns 204 No Content on success.

How to remove an extension from a deployment through Cloud-IAM API?

1. Obtain a Bearer token using a Service Account
2. Obtain your Deployment ID
3. Obtain your Extension ID
4. Execute this command while replacing your Deployment ID and your Extension ID:

curl -s -X DELETE \
  -H "Authorization: Bearer $TOKEN" \
  "https://api.cloud-iam.com/deployments/{deploymentId}/marketplace/extensions/{extensionId}?apply=true"

Query parameters:

• apply — set to true to trigger a redeployment immediately (default: true)

TIP

Returns 204 No Content on success.

WARNING

Mandatory extensions cannot be removed from a deployment.

FAQ - Extensions

Frequently asked questions

• Why are some extensions paid?
• What happens when I purchase a Cloud-IAM extension?
• Who can purchase a Cloud-IAM extension?
• Can I use a paid extension across multiple deployments?
• How much does a paid Cloud-IAM extension cost?