Help getting started configuring the server?
by mark
I am new to Keycloak and have been through the manual, I have also seen the
code quickstarts, what I am missing is the same for the server setup.
I am aiming for a simple setup initially:
- running locally in stand alone mode (already done)
- one realm, two user roles
- users can register as one of the two roles
- client application uses the initialization code flow
- client is using spring boot (if that makes a difference)
Are there any walk throughs for server config?
Thanks
6 years, 11 months
restricted admin console access
by Bill Burke
I'm thinking of adding additional admin roles: "admin-console-users",
"admin-console-groups", "admin-console-clients" and a composite of all
three: "admin-console-access". These roles exist solely for the admin
console and determine whether or not the "Users", "Clients", or "Groups"
menu items show up. It is unfeasible to calculate this considering that
a restricted admin may have access to only one client in the admin
console or a specific set of users in a specific group.
Alternatively, I could just display the "Users', "Clients" and "Groups"
menu item no matter what role mappings or permissions the restricted
admin has. Then when they click on that menu item, query results are
filtered based on individual permissions. I like the latter better
because its a better user experience. For example, if a restricted
admin can only manage one client and nothing else, the admin console
could bring the admin directly to that client's management page.
6 years, 11 months
Merging node_modules into Keycloak repo
by Stan Silvert
The very thought of $subject seems like heresy. Why check in something
that is normally pulled using npm?
We have Angular 2 examples in Keycloak now. In the not-too-distant
future, our Account Management console will be written in Angular 2. So
node_modules has to be there somehow.
There are basically two options:
1) Merge node_modules into the Keycloak repo.
2) Don't merge and then run npm install at build time.
Productization standards push toward option #1. We need to have
consistent, repeatable builds.
But I'm looking for reasons that #1 might be bad. I can't come up with
a rational reason to do #2 except that it saves disk space.
Any thoughts?
6 years, 11 months
Angular version
by Sander Geerts
Hello,
We are using Keycloak for some of our products. One of our clients scans every used library and tools, and they came across the issue of cross-site scripting in the used angular version (1.4.4) in Keycloak. Can this cause issues when using Keycloak? Why (not)?
6 years, 11 months
any reason Migrators in server-private-spi?
by Bill Burke
Anybody know why Migrators are in server-private-spi? Shouldn't they be
in services? They should never be exposed and I thought private-spi
were for things we might eventually move to public.
6 years, 11 months
Proposal of using existing authentication server on behalf of keycloak browser-based authentication
by 乗松隆志 / NORIMATSU,TAKASHI
Hello.
I'd like to propose the feature of delegating authentication to an external authentication server on behalf of keycloak's browser-based authentication mechanism.
It might be said that it be the variant of Identity Brokering except for not using standard protocols for Identity Federation such as OpenID Connect and SAMLv2.
Its concept is similar to SP-Initiated SSO: POST/Artifact Bindings of SAMLv2.
[Background]
- The authentication server has already existed.
- This authentication server has not implemented OpenID Connect protocol.
- You want to use keycloak for realizing secure identity and access management by OpenID Connect.
In this situation above, you could opt to port the authentication feature of the existing authentication server onto keycloak and use User Storage SPI provider for retrieving user information from the existing authentication server, or implementing OpenID Connect protocol to address Identity Brokering triggered by keycloak.
However, the followings make it hard or impossible.
- UI implementation cost : Responsive design, vast amount of customization based on various factors.
- Authentication porting cost : Requirements for high-level authentication that have already been implemented in the existing authentication server such as multi-factor authentication for LoA 3 conformance in ITU-T X.1254.
This authentication delegation mechanism resolves these difficulties by using the existing authentication server for authentication and retrieving authenticated user information by back-end communication between keycloak and the existing authentication server.
Prototype Implementation and PoV testing has been completed.
Implementing as additional providers and its factories for Authentication SPI and User Storage SPI in order to avoid impairing existing keycloak features.
Would you mind reviewing this concept and prototype implementation? If accepted, I'm willing to revise codes for PR.
Details is as follows.
https://github.com/Hitachi/PoV-keycloak-authentication-delegation/tree/ma...
Sample codes is the following.
https://github.com/Hitachi/PoV-keycloak-authentication-delegation/tree/ma...
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
6 years, 11 months
GoLang Adapter
by Tony Winters
I was just at the RedHat Summit this week and during the Keycloak session, it was mentioned that there wasn’t a GoLang adapter yet. I’d be interested in tackling this if there is a need. What is the process to get this started? We actually have an application written in GoLang that will need to be secured once we go live with Keycloak company wide (scheduled go-live within the next several months).
Tony Winters
6 years, 11 months
Cross-DC Support
by Pedro Igor Silva
Hey All,
Is it fair to say that using invalidation events via ClusterProvider is
enough to get Cross-DC support ?
Regards.
Pedro Igor
6 years, 11 months
