diff --git a/data/common/common.yaml b/data/common/common.yaml
--- a/data/common/common.yaml
+++ b/data/common/common.yaml
@@ -1874,6 +1874,14 @@
 swh::deploy::deposit::db::dbname: softwareheritage-deposit
 swh::deploy::deposit::db::dbuser: swhstorage
 
+swh::config::keycloak::realm_name: SoftwareHeritage
+swh::deploy::deposit::config::keycloak:
+  server_url: "https://%{hiera('keycloak::vhost::name')}/auth/"
+  realm_name: "%{alias('swh::config::keycloak::realm_name')}"
+
+swh::deploy::deposit::config::authentication:
+  authentication_provider: basic
+
 # swh::deploy::deposit::db::password: in private data
 # swh::deploy::deposit::runtime_secret_key in private data
 swh::deploy::deposit::config:
diff --git a/data/deployments/staging/common.yaml b/data/deployments/staging/common.yaml
--- a/data/deployments/staging/common.yaml
+++ b/data/deployments/staging/common.yaml
@@ -314,3 +314,8 @@
 
 swh::deploy::vault::e2e::storage: "%{alias('swh::remote_service::storage0::url')}"
 swh::deploy::vault::e2e::webapp: "https://webapp.staging.swh.network"
+
+swh::config::keycloak::realm_name: SoftwareHeritageStaging
+swh::deploy::deposit::config::authentication:
+  authentication_provider: keycloak
+  keycloak: "%{alias('swh::deploy::deposit::config::keycloak')}"
diff --git a/site-modules/profile/manifests/swh/deploy/deposit.pp b/site-modules/profile/manifests/swh/deploy/deposit.pp
--- a/site-modules/profile/manifests/swh/deploy/deposit.pp
+++ b/site-modules/profile/manifests/swh/deploy/deposit.pp
@@ -23,7 +23,10 @@
   $cert_name = lookup('swh::deploy::deposit::vhost::letsencrypt_cert')
   $vhosts = lookup('letsencrypt::certificates')[$cert_name]['domains']
 
-  $full_conf = $conf_hiera + {allowed_hosts => $vhosts}
+  # authentication provider + optional keycloak config
+  $conf_authent = lookup('swh::deploy::deposit::config::authentication')
+
+  $full_conf = $conf_hiera + $conf_authent + {allowed_hosts => $vhosts}
 
   if $swh_hostname['fqdn'] in $vhosts {
     $vhost_name =  $swh_hostname['fqdn']