Currently the admin endpoints ignores credentials when creating the user
and a second post is needed to add credentials.
I don't see any reason why it has to be this way and we should be able to
We already have a PR for it https://issues.jboss.org/browse/KEYCLOAK-5026.
I'm adding a Group Based Policy to our set of supported policies.
Basically, this policy allows you to define the group(s) you want to give
access to some resource or scope.
Would like to share my initial scope with you and see if you guys have
anything else to add:
* Users can select one or more groups
* Users can define groups using paths (e.g.: /Group A/Group B/*, /Group A,
/Group A/Group B)
* Users can decide whether or not access is granted if the identity is a
member of all or any of the selected groups
* Users can decide whether or not access extends to sub-groups of a parent
Please, let me know your thoughts.
I'm getting an error during
AbstractKeycloakTest.afterAbstractKeycloakTest() when cleanup is
executed. The problem is that the log only shows NullPointerException
with no stack trace. Even worse, the failure only occurs during a full
maven build. I can't duplicate the problem in IDE. Why does arquillian
not display stack traces?
We've picked Htmlunit as the default browser to run tests with due to it
being the fastest. Downside is that it simply doesn't work very well for
Just saw that Chrome is actually bringing a headless option to Chrome 59
. This is really nice as it allows headless testing with a real browser,
not just an emulated browser.
Ideally if this is fast we could use it as the default browser instead of
htmlunit. Obviously waiting until it's released on all platforms. If it's
not as fast as htmlunit then maybe there is a compromise.
The default browser would still be htmlunit. Then individual tests could be
marked (with an annotation on the class or on the WebDriver field). Those
marked would use Chrome in headless mode instead of htmlunit. Obviously
-Dbrowser would continue to override the browser in either case.
Thoughts? Anyone interested in giving the new headless Chrome option a spin
and evaluating how fast it is compared to htmlunit?
Woukd it be possible for you guys to guide me on how to implement
Multi-tenant SSO in a spring boot application.
I had gone through the example of multi-tenancy in the github library, but
i am not sure how could I implement the similar feature for the SpringBoot
Any help would be appreciated, as I am trying to weigh the keycloak for our
new application for the clients. As our application is going to SpringBoot
microservice based application, the feature of multi-tenancy is necessary
Awaiting for response.
Thanks & Regards,
I’m currently migrating a legacy database to Keycloak. I’m importing the users via the REST API. Now I’ve run into the issue that credentials are not stored when the user is created. The code doesn’t seem to invoke any calls related to credentials. The code does exist but is only invoked during the file import (or partial import).
Is it an option to add the credential processing to the UsersResource.createUser() ?
I’ve also created an issue https://issues.jboss.org/browse/KEYCLOAK-5026 <https://issues.jboss.org/browse/KEYCLOAK-5026>
My work on KEYCLOAK-4778 highlighted an inconsistency in User attribute value handling. When a IdentityProviderMapper accepts a user attribute, it seems (I haven't looked at all of them) they will drop (not import/store) those that have a null value. However, the REST API does something different. UserRepresentation (through StringListMapDeserializer) will convert null values to a String of "null".
Any objections to changing StringListMapDeserializer to also ignore null valued attributes? UserRepresentation is the only user of StringListMapDeserializer.
The UI tests are not supposed to work with "artificial" browsers - only the
real-life ones are supported.
UI tests are high-demanding on JS interpreter (PhantomJS nor HtmlUnit can
satisfy such demands) and moreover UI needs to be anyway tested with all
supported browsers (due to some differences between them). So it wouldn't
make much sense to run them with e.g. HtmlUnit.
Please see our HOW-TO-RUN  where are the instructions on some special
tests (like UI or adapters).
However, good point that we should add some check for supported browsers
before running the tests. I'll look into it.
On Wed, May 31, 2017 at 8:41 AM, Pavel Drozd <pdrozd(a)redhat.com> wrote:
> Dne 31.5.2017 v 08:31 Stian Thorgersen napsal(a):
> Ideally the console tests should work with HtmlUnit, but failing that they
> certainly need to work with PhantomJS.
> Pavel - any chance we can get the console tests working with HtmlUnit? If
> not I guess we need to set the default for the console tests to PhantomJS.
> We were focusing to run the tests mainly with real browsers. Vasek did you
> try to run the UI tests with HtmlUnit?
> On 30 May 2017 at 17:37, Alex Szczuczko <aszczucz(a)redhat.com> wrote:
>> I just lost a couple days to a really simple mistake when running the UI
>> tests. I didn't set -Dbrowser=firefox, so the headless WebDriver was used,
>> which produces a lot of impossible errors that I couldn't figure out at
>> all. To save the next person the same agony, I think there are two possible
>> 1. Define a default browser=firefox property in
>> 2. Use a plugin to fail the build if the user has not defined the browser
>> property on the command line.
>> Note that you need to enable a profile to run these tests
>> (-Pconsole-ui-tests), so this doesn't impact the project's normal mvn clean
>> Opinions on either of these options?
>> keycloak-dev mailing list
Keycloak / Red Hat Single Sign-On
Red Hat Czech s.r.o.
I’m looking to leverage Keycloak as the primary IdP for our SaaS platform. We have many tenants, each with their own sub-tenants ( their customers ) and would like to provide them with the ability to administer themselves (and enable sub-tenant users to admin the sub-tenant, etc). Based on my current research, which includes the multi-tenant example in the GitHub repo, it appears that multiple tenants are supported via separate realms. My current thinking is that I’d like to use a single realm as I’d like for a platform administrator (like myself) to be able to manage all users in a single place, use a group hierarchy to support multiple tenants, and apply roles to specific users in a group to eg. administer the users or create a sub group for a new tenant.
Something like this:
|- User 1 (user-admin role)
|- Tenant 1 Group
| |- User 1.1 (user-admin role)
| |- User 1.2
| |- …
| |- User 1.n
|- Tenant 2 Group
| |- User 2.1 (user-admin role)
| |- User 2.1
| |- …
| |- User 2.n
| |- Tenant 3 Group
| |- User 3.1 (user-admin role)
| |- User 3.2
| |- …
| |- User 3.n
From the above we’re looking for:
* User 1 is the realm/platform administrator and has full control over all groups/users
* User 1.1 is the administrator for Tenant 1
* User 2.1 is the administrator for Tenants 2 and 3
* User 3.1 is the administrator for Tenant 3
I came across this thread <http://lists.jboss.org/pipermail/keycloak-user/2015-October/003359.html> and specifically this comment from Bill Burke:
>I like that idea. A better alternative might be that each group has an
>"user-admin" role. If a user has the "user-admin" role of the group, it
>can administer users in that group and assign roles defined in that
>group. One thing to really think about is, what about sub-groups. Can
>an admin of the parent group administer sub groups?
This post is from October 2015, so I’m curious if the ability to grant specific roles to specific users in a specific group has been implemented at all? I can’t find anything about it in the docs. I also just noticed this JIRA issue <https://issues.jboss.org/browse/KEYCLOAK-3168> but am not sure if it’s the same thing.
Disclaimer: I’m new to Keycloak so maybe am misunderstanding and/or going about this incorrectly… please let me know if I can provide more information; I can provide a more complete description of my goals / requirements if that would help.