Customizing error Pages(for example client log)
by rony joy
Hi All,
We are trying to customize the error pages based on the realm id. We are
able to do the basic modification by extending the error pages in our
custom theme. But in our error pages we wanted the have more realm specific
customization(for example customer logo) by fetching the logo from external
services based on the realm Id.
Currently we don't see a way by looking at the code. Any help is
appreciated
Thanks
Rony Joy
9 years
Default identity provider for brokering
by Sven Thoms
Is there a REST endpoint for setting the default, already set identity
provider at
Authentication - Authentication Flows - Browser - Identity Provider
Redirector - Default Identity Provider?
9 years
Info endpoint to simplify debugging proxy config
by Stian Thorgersen
I've been looking at some issues with reverse proxy when Keycloak is
installed on EAP 7.0.3+ [1]. While doing so I found out that it's fairly
inconvenient and not straightforward to debug if the proxy configuration is
correct.
To verify URLs you have to for example open the well-known endpoint for
OIDC. Then you have to verify the remote IP address by doing a failed login
attempt and looking at the server log.
To make this simpler I propose adding the start of a server info endpoint.
It will be a SPI that allows plugging in server info providers that can
show different details if authenticated or not.
You can either view info for all providers at a time with
"/realms/master/.info" or for a specific provider
"/realms/master/.info/proxy".
The proxy info provider will display:
{
"authServerUrl" : "http://host1/auth",
"remoteAddress" : "127.0.0.1",
"proxyDetected" : true,
"headers" : {
"Host" : "host1",
"X-Forwarded-For" : "1.2.3.4",
"X-Forwarded-Host" : "host2",
"X-Forwarded-Proto" : "https"
}
}
Implementation is ready [2] I just need to get feedback and add tests.
In the future we can expand on this to for instance provide a health
monitoring endpoint that allows checking the server health (JPA
connections, Infinispan connections, IdP connections, user fed connections,
etc.).
[1] https://issues.jboss.org/browse/KEYCLOAK-4149
[2]
https://github.com/stianst/keycloak/commit/99abbc47c49585d1e62c74f3ea227e...
9 years
Allow bearer-only cilents to have service accounts
by Stian Thorgersen
Currently a bearer-only client can't have a service account and that seems
like a mistake. Further this prevents bearer-only clients to use the
authorization services.
Is there any good reasons why bearer-only clients can't have service
accounts and be able to obtain token using the client credential grant?
The only thing a bearer-only client should be prevented to do IMO is
authenticate users (authorization code flow and resource owner credential
grant).
9 years
Roles in Client Template
by Thomas Raehalme
Hi!
I was under the (false) impression that Client Templates would also contain
role definitions for clients that use the template. Unfortunately I was
wrong.
My use case is an application where there are multiple instances each
belonging to a different tenant. They each have the same set of roles, but
their own set of users (or groups) to which the roles are assigned.
I would like to be able to maintain the common client settings in the
template and focus on tenant-specific settings such as URLs on each client
(which are also more static).
What do you think would it make sense to add the possibility to define also
roles in the Client Template?
Best regards,
Thomas
9 years
Getting client secret in rest
by Dekel Aslan
Hello,
I'm using the Keycloak class and invoking this line:
String secret = keyCloakClient.realm(realmName).clients().findAll().get(0).getSecret();
(get(0) gets the client I need)
but it's always null. For getClientAuthenticatorType() it returns "client-secret" as it should, and the UI has the secret in it's credentials tab.
Please advise on how to get the client secret via the object.
Thanks,
Dekel.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
9 years
E-Mail handling in Keycloak
by Thomas Darimont
Hello group,
currently Keycloak allows to configure the "from" address per realm which
all emails sent from that particular realm use.
Often a generic address like no-reply(a)mycorp.com or a realm specific
address like
no-reply-myrealm(a)mycorp.com is used as "from" address.
It would be nice if one would have more options here like:
1) Use the realm name or a custom string as the display name for the "from"
Address
Display Name<actual-address(a)mycorp.com>
e.g.: "MyCorp SSO"<no-reply(a)mycorp.com>
"MyCorp Helpdesk"<helpdesk(a)mycorp.com>
2) Allow to specify a Bounce Address (MAIL FROM) with some place-holders
(user-id, realm-id)
e.g.: sso-bounces+${realm-id}_${user-id}(a)mycorp.com
This is especially useful when integrating with legacy user stores with
unreliable e-mail addresses.
Shall I create JIRA issues for that?
Cheers,
Thomas
9 years
Keycoak- SQL server partnership
by abhishek raghav
Hi
As you all know, Keycloak is saying that they wont support mongo as it
lacks transactional support.
Hence I was thinking of using SQL server as a potential candidate.
Few queries which I have as below:
1. We am envisioning an environment where we will have a lot of keycloak
instances. Each keycloak instance will require its own database. The way we
do it right now, is that we just bring up a new keycloak instance on DCOS
and then specific a new database name resident on the database host and
then the instance comes up. We are not sure whether we can do this with SQL
server much the same way.
2. Not sure what performance characteristics we will get into with a remote
SQL Server..?
3. These are linux based container instances that we are setting up for
keycloak.
Mixing deployment architectures between DCOS containers vs traditional
scaling architectures for databases, can it a issue.?
Is there anyone here using SQL server as their backend in keycloak. Did
anyone face any bad experiences while using SQL server with Keyclak.?
Any suggestions for the same are most welcome.
*- Best Regards*
Abhishek Raghav
9 years
Run testsuite with distribution by default
by Stian Thorgersen
I propose we change the default build to also build the server
distribution. We should also make the Arquillian testsuite use the server
distribution by default and not the embedded Undertow version. The embedded
Undertow version should only be used when running tests from within the IDE.
It should only add ~2 min to a full build.
Any objections/comments?
9 years
dynamic client registration fixed registration access tokens
by Sven Thoms
Hello
For client registration health checks and subsequent request resiliency
(what if answer with registration access token does not arrive), is it
possible to keep the registration access token permanent and unchanging,
once client is registered ?
Regards
Sven
9 years
