I was looking for a way to query users based on their exact username but it
turned out, that
String, String, Integer, Integer)
List<UserRepresentation> search(@QueryParam("username") String username,
@QueryParam("email") String email,
usersResource.search("exactusername",null,null, null, null, email, 0, 10)
generates a like %..% query in
Since usernames are unique per realm I think it would make sense to be able
to perform a
query for the exact username (or perhaps the combination of other
attributes as well).
Was this omitted by design, or may I create a JIRA for this?
I need Social login provider for Microsoft Live account. I can implement
it as I did few other social login providers already.
Problem is that I need it in Keycloak 1.8. Any chance to add it to 1.8
if I will be quick enough (PR today or tomorrow)? It is OAuth2 based
provider so impl should be easy.
If not in KC 1.8 release, is it possible to add social provider as
customization to my KC instance only? It is common provider factory so
it should be possible I hope, but it also requires some template in
admin theme, so I'm not sure (probably I have to create my customized
admin theme in this case).
I definitely prefer to have it in upstream if possible.
Principal Software Engineer
Developer Portal Engineering Team
Those are a fork of my examples. Before product, I think the Spring Boot
adapter needs an update to be based on the Spring adapter. I can do this if
if you give me an ETA on how long before code is frozen.
---------- Forwarded message ---------
From: Jeremy Simon <jeremy(a)jeremysimon.com>
Date: Mon, Jan 18, 2016 at 12:11 PM
Subject: Re: [keycloak-user] Spring Boot REST Service Example(s)
Thanks! These make a lot more sense. Looks Springy. ;) Based on how
these examples are configured, why would the Keycloak documentation
even mention in section 8.9.2 "You also need to specify the J2EE
security config that would normally go in the web.xml"? Just trying
to get an understanding.
On Thu, Jan 14, 2016 at 6:56 PM, Bill Burke <bburke(a)redhat.com> wrote:
> Andrzej already replied to this earlier:
> take a look at these examples:
> On 1/14/2016 6:44 PM, Jeremy Simon wrote:
>> Would anyone be willing to point me to some good working examples that
>> are REST services built with Spring Boot but can leverage Keycloak for
>> authentication? I had no trouble integrating a webapp with the SAML
>> protocol, but this OpenID Connect (/Oauth2?) area of things is really
>> All I'm trying to do is security the REST endpoints I made and then
>> when I actually hit a controller, also be able to pull some role or
>> attribute information off the Authentication token.
>> I tried to cobble together something using the reference guide and the
>> adaptors sections, but to no avail. In particular I followed the 8.9
>> Spring Boot Adaptor but I get 302s and a this in the response if i try
>> a rest client...
>> 302 Found
>> Content-Length:0 Bytes
>> 2016 Jan 14 18:41:13
>> At any rate, I tried some extra spring security and other mentions
>> down further in the guide, but I'm definitely digging myself into a
>> little hole! Any help would be greatly appreciated!
>> Possibly uneducated guess with this subject, can Spring Security OAuth
>> be used with this? Probably can't with the OpenID JWT responses?
>> keycloak-user mailing list
> Bill Burke
> JBoss, a division of Red Hat
> keycloak-user mailing list
keycloak-user mailing list
I've completed a first stab at this using the JBoss logging tools. Once
merged we will have the ability to do i18n/l10n on our log messages and
also use message numbers.
Here is the commit to show you how it turns out converting the log
messages in KeycloakApplication:
So, now a message coming from the KeycloakApplication class in the
services module looks like this:
15:29:31,515 INFO [*org.keycloak.services*] (ServerService Thread Pool
-- 50)*KC-SERVICES0001*: Loading config from
We need to decide how we want to structure this. In WildFly, we
typically have one logger per maven module. If you want to have one
logger per package then you would need to create a new interface in each
package, which gets hairy.
I do suggest that we prefix all of our messages with "KC-" or something
else that is unique across products. Also, we should standardize the
"padding" for the message numbers.
Another possibility is to have all keycloak messages start with
"KEYCLOAK". This would mean that we would need for each module to
reserve a number range. There are annotations to enforce this if we
want to go that route. The downside is that somewhere we need to
maintain a registry. I think WildFly did this but eventually abandoned
it. Notice that WildFly messages are like "WFLYUT" for Undertow or
"WFLYJSF" for JSF.
BTW, localization works nicely. Just add a bundle for a new language.
The tool even creates a skeleton properties file for you.
If you want more details on the i18n framework, see
I'm trying to test Openstack ECP with Keycloak. When Openstack posts the
SAML AuthnRequest wrapped in SOAP to the
/auth/realms/master/protocol/saml endpoint keycloak responds with an
HTTP 415 unsupported media type error. The HTTP Content-Type in the post
is text/xml. What are you expecting?
This is with the 1.8.0.CR1 version of keycloak.
work with SSO if direct grant created and returned an SSO cookie and
also checked to see if an SSO cookie was set. This way all the people
wanting to completely bypass our login screens can do that. Why they
would want to, I don't know. We maybe should extend the direct grant
protocol to tell the client when required actions must be filled out
before authentication, stuff like that.
JBoss, a division of Red Hat
Do we need to think about how patching will work in EAP? If we move to
a more coarse grain module system, then the modules we patch might be
quite large. We fine with that?
JBoss, a division of Red Hat
We use Keycloak’s user federation to integrate with a (Windows 2012) Active Directory (AD) server. We want to store all users and groups in AD and also want to manage the password policies from AD so we do not have any password policies in Keycloak set up. We also want to use Keycloak for all user management functionality. We have set up the password policies in AD at the domain level where we connect to from Keycloak.
Our password policies in AD are as follows:
- password complexity (min length + special chars)
- account lock out after 3 attempts
- password history (not allowed to use previous 5 passwords)
Users and admins can set and change passwords in AD from Keycloak fine. However the password policies do not quite do what we want them to:
- Password complexity policy seems to work fine.
- Account is indeed locked in AD after three failed attempts. However the ‘Unlock users’ functionality in Keycloak does not unlock the users in AD. Users can only be unlocked in AD itself it seems. We would like to be able to do this from Keycloak however (and really per user and not for all users in one go). Should this work in Keycloak or is this a new feature request?
- The password history policy does not seem to work at all. Users can currently set their password to a previous password without a problem. Does anyone have an idea why this policy in AD does not work from Keycloak?
PR sent, probably will be commited once you read this:
This is a first pass at the module re-org. Wanted to get most of it
done on Friday, but I screwed up and lost 3 hours of work cuz I forgot
to merge Stian's big jackson change and the conflicts were too much :)
I hope to do more next week.
* top level server-spi module was created
* These modules were removed and rolled into server-spi
* These modules were moved into keycloak-services
- exportimport single file and dir
- some utility classes from exportimport api
* These SPIs were moved to server-spi
* BruteForceDetector is now a Provider and is looked up via
KeycloakSession. Previously we were stuffing it with
AuthenticationManager and passing that around everywhere. This cleaned
up a bit of code.
JBoss, a division of Red Hat