I am evaluating Keycloak server for my project and securing REST APIs and Web applications was very easy.
Now I have a task to secure some SOAP endpoints
Is it possible to do it with Keycloak? If so, what’s the best practice?
Principal Software Engineer
5705 W Old Shakopee Road, Suite 100
Bloomington, MN 55437 USA
This message is only for the use of the intended recipient and may contain information that is CONFIDENTIAL and PROPRIETARY to MorphoTrust USA, Inc. If you are not the intended recipient, please erase all copies of the message and its attachments and notify the sender immediately.
It’s very easy to produce an out of memory. Just make thousand of requests to the login page with a huge state parameter.
Keycloak allocates a new ClientSessionEntity for each request and stores it with the given state parameter in a ConcurrentHashMap (if the MemUserSessionProvider is used).
Do you think it is necessary to create a new ClientSessionEntity before the user is authenticated?
Wouldn’t it be possible to pass all necessary information via URL parameters? Create a LoginToken similar to the IDToken, encrypt it with the realm private key, and add it to the url as parameter.
To support *first/initial cut of certificate management *for realm users,
we can have keys and X509 Certificate generation for each individual user
at the time of its creation. This will imply for realm admin too.
While viewing an individual user for any specific realm in administrative
console, we can have Keys View in addition to Attributes, Credentials, Role
Mappings and Sessions. Keys View (UI) will let user retrieve, validate,
revoke, renew(revoke+generate) and delete(optional) his keys/Certificates.
If it makes sense, I shall start working around it.
Department of Computer Science
National Institute of Technology Hamirpur
Himachal Pradesh, India
Wrote this awhile ago. I'm starting on this now. Discuss now, or
forever hold your peace :)
Current UserModel.attributes will be used for internal bookkeeping only.
Going to add a new "UserProfileType", "UserProfileValue" (name TBD)
type that contains:
* .css type
* type (bool, int, date, etc.)
* boolean displayOnRegistrationPage
Question, do I need a .css id to plug in a value too? How would we
display the german label name for "phone"?
* String value
OIDC clients will have a "Claim mapping" tab. SAML clients will have an
"Assertion Mapping" tab. These tabs will be able to map from
UserProfileValues to te appropriate claim/assertion and also be able to
set up whether or not a claim should be added to token/assertion list.
ClientModel.claimMask will go away. ClientModel will gain a list of
* String claimNameMapping
Might want to eventually add a "ClaimTransformerProvider" pluggin
ability that can be attached to ClaimMappingModel...We might also want a
"TokenTransformerProvider" plugin too that can intercept token/saml doc
creation. We'll see...
JBoss, a division of Red Hat
I was wondering if it was possible to share Applications from the Master
realm. If we wanted to support multiple realms but those realms always
using a subset of the Applications defined in Master, we didn't want to
have to redefine them. We would just like to allow a Child Realm to be
able to be given access to an Application in Master, at a particular role
level. Please let me know if you have any questions.
“Problems cannot be solved by the same level of thinking that created them.”
“Learn from yesterday, live for today, hope for tomorrow. The important
thing is not to stop questioning.
Albert Einstein <http://thinkexist.com/quotes/albert_einstein/>
I would like to use Nodejs application with Keycloak for dealing with
AngularJS as a auth provider.
How do I do this? Does it mean I need to deploy Node.js application to
If so, is there any documentation for this process?
I need some advice here. I'm trying to figure out how to model a
ClaimType for our persistent store. I'm thinking that the @Id of the
ClaimType will be the name of the claim itself (phone, street, etc.).
The name will be immutable once created.
Why do it this way?
* Simpler to store. UserModel can just have a Map<String, String> of
* More importantly, human readable files (json imports, and our
FileBased store) will be able to reference the claim type by name rather
than id. Users crafting an import file will not have to specify an ID
anywhere or generate one. This claim type is going to be referenced in
a few places:
- protocol claim mapping
- user claim value store
That sound ok?
JBoss, a division of Red Hat
This is very important:
All Representation (json) classes must have Object, nullable attributes
types. The reason is for REST updates. The pattern we use is that if
the value is null, we don't update, if the value isn't null, we update.
So, boolean must be set as Boolean objects.
JBoss, a division of Red Hat
regarding multi-tenancy in keycloak, where each tenant maps to a realm, I
wanted to ask for help on clarifying some key concepts in keycloak for aid
in implementing a simple REST based identity management POC.
Imagine there is a requirement for a multi-tenant environment where user
registration (=creation) , user login, user logout and knowing whether a
user is still logged in or not must be done over some wrapper REST service
which exposes the mentioned functionality to outside world.
With KeyCloak being deployed in a private network, I have written some
wrapper REST service which does create users for a desired tenant (=realm),
and this wrapper service itself calls KeyCloak's "*Direct Grant API*" from
an *OAuth* Client with *Super-User* Credentials both defined in the "
*master*" realm having sufficient privileges over all realms (as defined by
the documentation in "Chapter 17. Admin REST API").
Now I want to be able to wrap the logging-in and logging-out process of a
user into a tenant in the same way as user creation, which I don't know how
to work around this scenario exactly
there are some different questions in my head, regarding the situation
explained in my head which I wanted to ask :
- to be able to log a user in/out, *through a wrapper rest
service* , *which
has been passed the user credential to and wants to use KeyCloak REST APIs*,
should I create an OAuth client per each realm and login/log out the user,
using the related OAuth client in each realm ?
- Which REST API provides information on whether a specific user is
already logged in or not on a specific realm?
- How "Application" concept in keycloak differs from "OAuth Client" and
does it make sense to log a user to an application (over REST API), if yes
how this is different from logging a user into a realm with OAuth Client ?
I really appreciate your help.