We have a plan to translate keycloak-documentation to Japanese for the
community at our company.
Because there is no place to manage the translation resources in
we are planning to put the resources into own repository and publish
the built documents to our corporate site.
Do you have any concerns?
Of course, we can contribute it if there are any plans to translate it
Nomura Research Institute, Ltd.
I have a use case where the server must accept authorization requests only
when they contain a signed request object (should be configurable per
I have found a way to make the signing of the request object mandatory by
specifying a 'request.object.signature.alg' attribute on the client, but
this only applies if a request object exists in the first place.
I would like to propose a pull request: It defines a new client attribute
'request.object.required'. If this is set to 'true', the client must send a
request object when initiating an authorization request.
Current code can be checked here:
What do you think?
I played a bit with the undocumented?  keycloak-installed adapter 
desktop applications with Keycloak SSO and found some issues with it, which
I'd like to share.
Small explanation for those who are reading the list but don't know the
First some general notes / suggestions:
Is the keycloak-installed adapter something that will stay in keycloak or
was this just a PoC?
In the former case I think there are some things that could be improved or
extended a bit:
- Allow users to customize the locale used for the login pages opened by
- Provide customizable response templates (perhaps by leveraging a provided
- Allow to customize pages shown after login / logout served by the
- Add support for TLS (with custom certificates) for https:// with localhost
I noticed that some browsers (e.g. Chrome) show an error page when trying
redirect to the local mini-webserver after a successful login since the
(...server-socket) embedded in the adapter doesn't respond with a valid
With that fixed, it worked with all browsers I tested (IE, Firefox, Chrome).
My current modifications of the keycloak-installed adapter
(with HTTP response fixes and response customizations) are here:
An extended example (using the the modified keycloak-installed adapter) can
be found here:
 Not mentioned here:
 For those that haven't seen the adapter yet, it allows to authenticate
from a desktop app (e.g. swing, javafx) by opening a desktop browser window
where a user
uses the regular keycloak login pages to login.
The trick is now that login page is opened with redirect URL that points to
a small local
"web server" (server-socket) on a free ephemeral port which is started by
After logging in the mini web-server receives performs the authenorization
code flow and eventually receives the tokens (access_token, refresh_token,
id_token) which can then be
used to call backend services from the client or retrieve new tokens
A nice side effect of this is, that the desktop application never sees a
password and one can leverage existing SSO sessions.
Btw. the google cloud cli uses the same approach to authenticate with gcp.
The Keycloak repo contains a small example for this:
Right now, when you enable fine-grained permissions to users you must grant
to a specific user the "manage-users" roles. Otherwise, you will not be
able to see the "Add User" button even though you have a permission
granting the "manage" scope. It is quite weird actually, because you can
This is because in UI we are checking only for "manage-users" when deciding
if this button should be shown or not.
One thing we could do here is change admin console to query for current
user permissions using the Entitlement API and use the permissions returned
in the RPT to decide whether or not something in the UI should be displayed.
I did some tests here and this approach seems to work fine and I think it
will improve a lot how we are handling permissions in admin console.
I'm getting a 401 error when invoking on the AssertEvents.clear()
method in one of my tests. Make zero sense other than that I set the
time offset to sometime in the future before invoking it. Is Testing
Resource protected by Keycloak? Its the only reason I can think that
the token is expired or something. I can't seem to find the
This is driving me crazy because locally tests pass 100%, but I'm
getting this problem in the CI build.
I'm planning to start to submit some PRs for
https://issues.jboss.org/browse/KEYCLOAK-4853 . If I start to get them to
you in the next few days, what would release would they target. Some of
the items I'm looking to immediately leverage are:
- Create User
- Create Group
- Create IDP
These are the important ones since fetching the data a second go around
requires that unique ID in the URL.
I had raised a PR ( https://github.com/keycloak/keycloak/pull/4850 ) for
KEYCLOAK-4852. It seems like there may be some disagreement on whether this
is needed, but I was confused by the fact that the ticket was in the
"BacklogBacklog" without any comments, questions or concerns.
Here's the problem I face. The resteasy proxy code only throws exceptions
for 4xx and higher responses. I want to confirm on realm creation that I
received a 201 Created header back from keycloak. The admin client doesn't
support this today. To do that, and without breaking other consumers, I
introduced a new method that will return the response. The void method
remains and doesn't change any behavior. The new method allows me to read
the response status and location headers correctly.