diff --git a/keycloak-elabore/README.rst b/keycloak-elabore/README.rst
new file mode 100644
index 0000000..7058548
--- /dev/null
+++ b/keycloak-elabore/README.rst
@@ -0,0 +1,32 @@
+Description
+===========
+
+Using ``keycloak`` version 17.0
+
+
+Usage
+=====
+
+To start with ``keycloak``, just put this service in your
+``compose.yml``::
+
+    keycloak:
+      options:
+        admin-password: CHANGEME
+      relations:
+        web-proxy:
+          frontend:
+            domain: id.mydomain.fr
+
+Customize theme
+===============
+
+You can customize theme by putting your theme in
+``/srv/datastore/data/keycloak/opt/keycloak/themes``
+
+For example copy the material folder from
+https://github.com/MAXIMUS-DeltaWare/material-keycloak-theme and
+restart ``keycloak``.
+
+Then go to your admin console, log in and go to the realm/themes part
+to choose you new theme
diff --git a/keycloak-elabore/build/Dockerfile b/keycloak-elabore/build/Dockerfile
new file mode 100644
index 0000000..3c77250
--- /dev/null
+++ b/keycloak-elabore/build/Dockerfile
@@ -0,0 +1,16 @@
+FROM keycloak/keycloak:24.0.4 as builder
+
+ENV KC_METRICS_ENABLED=true
+ENV KC_FEATURES=token-exchange
+ENV KC_DB=postgres
+
+WORKDIR /opt/keycloak
+# for demonstration purposes only, please make sure to use proper certificates in production instead
+RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore
+RUN /opt/keycloak/bin/kc.sh build
+
+FROM keycloak/keycloak:24.0.4
+COPY --from=builder /opt/keycloak/ /opt/keycloak/
+WORKDIR /opt/keycloak
+ENV KC_LOG_LEVEL=INFO
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start", "--optimized"]
diff --git a/keycloak-elabore/build/Dockerfiledebug b/keycloak-elabore/build/Dockerfiledebug
new file mode 100644
index 0000000..0be049d
--- /dev/null
+++ b/keycloak-elabore/build/Dockerfiledebug
@@ -0,0 +1,16 @@
+FROM docker.0k.io/keycloak:17.0.1 as builder
+
+ENV KC_METRICS_ENABLED=true
+ENV KC_FEATURES=token-exchange
+ENV KC_DB=postgres
+RUN /opt/keycloak/bin/kc.sh build
+
+FROM builder as inspector
+ENTRYPOINT ["ls", "-l", "/opt/keycloak/lib/"]
+
+
+#FROM docker.0k.io/keycloak:17.0.0
+#COPY --from=builder /opt/keycloak/lib/quarkus/ /opt/keycloak/lib/quarkus/
+#WORKDIR /opt/keycloak
+#ENV KC_LOG_LEVEL=INFO
+#ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start"]
diff --git a/keycloak-elabore/hooks/init b/keycloak-elabore/hooks/init
new file mode 100755
index 0000000..57c1239
--- /dev/null
+++ b/keycloak-elabore/hooks/init
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -e
+
+admin_password=$(options-get admin-password) || exit 1
+
+init-config-add "\
+  $MASTER_BASE_SERVICE_NAME:
+    environment:
+      KEYCLOAK_ADMIN: \"admin\"
+      KEYCLOAK_ADMIN_PASSWORD: \"$admin_password\"
+"
diff --git a/keycloak-elabore/hooks/postgres_database-relation-joined b/keycloak-elabore/hooks/postgres_database-relation-joined
new file mode 100755
index 0000000..1f5c177
--- /dev/null
+++ b/keycloak-elabore/hooks/postgres_database-relation-joined
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+PASSWORD="$(relation-get password)"
+USER="$(relation-get user)"
+DBNAME="$(relation-get dbname)"
+
+config-add "\
+services:
+  $MASTER_BASE_SERVICE_NAME:
+    environment:
+      KC_DB_URL: \"jdbc:postgresql://$MASTER_TARGET_SERVICE_NAME:5432/$DBNAME\"
+      KC_DB_USERNAME: \"$USER\"
+      KC_DB_PASSWORD: \"$PASSWORD\"
+      KC_DB: \"postgres\"
+"
diff --git a/keycloak-elabore/hooks/web_proxy-relation-joined b/keycloak-elabore/hooks/web_proxy-relation-joined
new file mode 100755
index 0000000..656909a
--- /dev/null
+++ b/keycloak-elabore/hooks/web_proxy-relation-joined
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+DOMAIN=$(relation-get domain) || exit 1
+
+set -e
+
+config-add "\
+services:
+  $MASTER_BASE_SERVICE_NAME:
+    environment:
+      KC_HOSTNAME: \"$DOMAIN\"
+      KC_PROXY: edge
+      KC_HTTP_ENABLED: \"true\"
+      KC_HOSTNAME_STRICT: \"false\"
+"
+
diff --git a/keycloak-elabore/metadata.yml b/keycloak-elabore/metadata.yml
new file mode 100644
index 0000000..9f3ad3f
--- /dev/null
+++ b/keycloak-elabore/metadata.yml
@@ -0,0 +1,24 @@
+
+data-resources:
+  - /opt/keycloak/themes
+
+default-options:
+
+uses:
+  web-proxy:
+    #constraint: required | recommended | optional
+    #auto: pair | summon | none ## default: pair
+    constraint: recommended
+    auto: pair
+    solves:
+      proxy: "Public access"
+    default-options:
+      target: !var-expand ${MASTER_BASE_SERVICE_NAME}:8080
+  postgres-database:
+    #constraint: required | recommended | optional
+    #auto: pair | summon | none ## default: pair
+    constraint: required
+    auto: summon
+    solves:
+      database: "main storage"
+    default-options: