We want adapters, PicketLink already has quite a few, can we utilise that?
Can we provide a single Keycloak PicketLink adapter for everything Java, and then get the correct level of integration and features for:
* WildFly/EAP (Elytron)
* JavaEE (WildFly/EAP, Tomcat, Jetty)
* Anything else?
Obviously the main benefit is that we don't have to write our own, but would potentially also allow users to switch to another IdP without recoding.
The problem I am looking at is sending "Push NotBefore" from keycloak to
adapters in cluster. Basically the info about push notBefore should be
propagated to all cluster nodes where application is deployed.
ATM I am seeing 2 possibilities:
a) More managementUrls per ApplicationModel. People would need to
configure all nodes where adapter is deployed . Then Keycloak (
ResourceAdminManager ) will be able to send "global" events like
pushNotBefore or "logoutAll" to all those nodes. "Normal" logouts will
be sent just to single node like now .
b) Ensure that notBefore can be replicated on adapters side. I don't
like this tbh. It requires adapters to be in replicated cluster, which
may not be an option for many deployments, who want to rely just on
Any of those is not super-ideal, but I don't have better idea to ensure
cluster-safe propagation of NotBefore and global logout to all cluster
I have (b) already prototyped and working, but wanted to have ack from
you before go further, cleanup, start changing admin console etc.
Hi Keycloak Dev Team,
We are planning to install multiple Keycloak instance behind Load Balancer ,therefore wanted to check whether Keycloak supports HA. If yes, then please let us know since which version HA support is available.
We are currently using 1.0-beta-3 with some customization.
Sorry to restore the discussion about admin console timeouts, but the
situation is still not ideal though...
- I have ssoSessionIdleTimeout 5 minutes
- Now I login to admin console and I want to create new federation provider
- I am disturbed for 5 minutes
- Now I want to go back to admin console and finish creating my
federation provider. After filling all the values, I click "Add" button.
But session is idle, so I am signed-out and all values I filled in admin
console are lost.
I wonder if we can still improve things a bit to avoid this? Maybe
restore idleTimeout plugin, but instead of having hardcoded timeout
value, it will periodically ask Keycloak (say in 1 minutes intervals)
for send the remaining timeout value? Also it would need to display the
topbar warning with "you will be logged out in N seconds" in case that
there are 2 minutes remaining, so it's visible in KC admin console for
at least 1 minute.
It's still not super-ideal and won't handle all scenarios though (for
example if user is going out of browser for these 5 minutes and he comes
back, he will be just signed-out). So I am not sure if it worth an
effort to add that?
Note that this may not be an issue just for KC admin console, but for
other JS apps secured by keycloak too (See liveoak admin console
Can you explain this liquipoop stuff and how it effects things? I am
unable to build locally. I've added a column to RealmEntity and now I'm
getting a column not found exception on startup in the testsuite.
JBoss, a division of Red Hat
I've added database migration support. In summary:
* JPA migration is done with Liquibase
* Mongo migration is done in a similar way, but no 3rd party lib (Mongo is easier as it's schema-less and single vendor)
* connectionsJpa and connectionsMongo will automatically update the database (if databaseSchema = update)
For more details look at https://github.com/keycloak/keycloak/blob/master/misc/UpdatingDatabaseSch...
If there's any issues let me know!
We should consider adding an Authentication SPI. This would be something similar to what we used to have, but should be more flexible (for example allow redirect to other IdPs).
This could be used for:
* Kerberos bridge
* Authenticate with external IdP (SAML or OpenID Connect)
* Add custom authentication providers
* Additional authentication mechanisms (fingerprint, hardware keys, etc.)
Same SPI could also be used for custom multi-factor authenticators. As well as for authenticating non-human users (cert, jwt, etc.).
A realm should be able to have more than one authentication mechanism. For example by default users authenticate with username/password (through the user store), but all users with a specific email domain authenticate with an external IdP. At the same time a user could have one or more main authenticators (password, hardware devices, etc.) and one or more secondary authenticators (totp, hardware token, etc.).
Certainly needs a lot more thinking/design, but if it's something we're interested in I'd like to look at it.
I'm not a big fan of the recent change from Google Authenticator to FreeOTP.
* Google Authenticator is far more widely used than FreeOTP
* We have existing users that use Google Authenticator (we know it works for both, but they and their users don't)
To support FreeOTP we need to add support for multiple OTP providers so developers/users themselves can choose between the providers, not us.