- Graphwise Platform Documentation
- Graphwise GraphRAG
- GraphRAG
- GraphRAG Configuration Guide
- GraphRAG Configuration Guide - Keycloak Integration
GraphRAG Configuration Guide - Keycloak Integration
06/07/2026
GraphRAG version 1.2.0
Keycloak coordinates identity verification and issues token footprints to incoming client connections. To prevent authentication failures, configuration parameters must be perfectly aligned across the infrastructure layer, the n8n runtime node, and the n8n credential store.
To maintain enterprise security boundaries, do not expose client signatures, keys, or administrative credentials in unencrypted configuration lines. Declare them within a secure Kubernetes Secret and reference them inside your Helm values.yaml file under the Keycloak block:
keycloak: secrets: KEYCLOAK_CLIENT_ID: "graphrag-frontend" KEYCLOAK_CLIENT_SECRET: "xxxxxxxxxxxxxxxx" KEYCLOAK_ADMIN_USER: "admin" KEYCLOAK_ADMIN_PASSWORD: "xxxxxxxxxxxxxxxx"
Note
Ensure your actual values replace the above placeholders before deployment.
To enable the orchestrator to successfully verify incoming JSON Web Tokens (JWTs), sync your runtime parameters with your Keycloak deployment properties. Update the following fields inside your centralized n8n Configuration sub-workflow code node:
keycloakUrlProvide the validation endpoint path (e.g.,
https://identity.example.com/author your cluster-specific mapping).keycloakRealmSpecify your destination realm security partition name. Default: "chatbot-app".
Keycloak configuration, to verify the provided JWT token
keycloakUrl: "https://identity.example.com/auth",keycloakRealm: "chatbot-app",
After saving your runtime code block, you must explicitly link downstream authentication requests by creating an API/Auth record within the orchestrator UI:
Navigate to the Credentials Sidebar inside the n8n workspace dashboard.
Open or initialize the GraphRAG Keycloak/API credential record.
Map your properties exactly as follows to secure the transport loop:
Username Field
$\rightarrow$Insert your configuredKEYCLOAK_CLIENT_ID(e.g., "graphrag-frontend")Password Field
$\rightarrow$ Insert your secretKEYCLOAK_CLIENT_SECRETtoken string.
Warning
Token Verification Mismatch
The keycloakUrl must be bidirectionally resolvable. If the Conversations Service or n8n workflow cannot reach the issuer URL to pull the JWK set, token validation will immediately fail, resulting in 401 Unauthorized errors.
String Matching
The Client ID and Secret entered in the n8n Credentials Sidebar must be a perfect character match with the Kubernetes Secret strings parsed by the Helm chart. A mismatch will cause token introspection calls to instantly reject.