Eliminating password databases: OpenID Connect, front-channel vs. back-channel, role mapping, and the end of local authentication. Overview Parts 1 and 2 built the foundation: Vault manages all credentials, External Secrets Operator bridges them into Kubernetes, cert-manager automates TLS, and Keycloak runs as a production-grade identity provider with clustered session state. Part 3 is where that infrastructure proves its value: integrating Grafana with Keycloak via OpenID Connect to eliminate Grafana's native login form entirely. By the end, there is no Grafana password database. No local admin account. Every login redirects to Keycloak, authenticates against the central identity layer, and maps realm roles to Grafana permissions automatically. The deliverables: Understanding the OIDC Authorization Code Flow Configuring Keycloak as an Identity Provider (IdP) Configuring Grafana as a Relying Party (RP) Managing the client secret through Vault and ESO Front-channel vs.…