we are using keycloak in our project and we need to use websockets. There
is currently no official solution for keycloak - websocket integration, but
there is a great library in hawkular for this purpose:
I think it would be great if this could become part of keycloak. What do
you think? I'm willing to contribute on it.
I'm asking this question about the community version of Keycloak. RH-SSO
absolutely must be reproducible.
The reason I ask is because we will soon stop checking node_modules into
We will lock down the library versions with yarn, which means everything
is theoretically reproducible as long as the public npm repo is stable.
But if we want to be extra-sure, we can set up our own npm repo and
archive it with each community release.
WDYT? How much do we care about reproducible builds in community?
I build a configurable Password Policy that allows to match a given
a blacklist with easy to guess passwords that should be not allowed as user
The 'BlacklistPasswordPolicyProvider' can be configured via the admin UI
with a ";" delimited list of easy to guess passwords.
If the user / or admin want's to change the password it is checked against
A password list can be found here:
A blacklist is of course not a perfect solution but could still be useful
for some users.
Password blacklist would be compiled to a trie at startup (and on changes
of the blacklist)
for efficient lookups.
I would like to report some unexpected behavior while requesting access-
and refresh token pairs. It is possible to obtain a new access- and refresh
token pair using only an access token. To describe this more thoroughly; If
someone obtained a valid access token s/he can obtain a new access- and
refresh token pair without ever knowing the refresh token.
The problem is that refresh tokens never leave the client except when
requesting a new one at the authorization server. However, the access token
is sent to resource servers for obtaining resources (obviously). But now a
resource server is actually able to obtain a new access- and refresh token
pair on behalf of the user as well, which was never the user's intention
(since it can keep a valid token indefinitely by refreshing it).
Of course, since the resource server doesn't have client credentials for
private clients it cannot obtain a new access- and refresh token pair for
those. However, it can do so for public clients as only their name is
known. (In fact, it is available in the "azp" claim of the access token.)
Steps to reproduce (I tested this with a clean setup of Keycloak
1. We will use the admin-cli client and the admin account. You can do this
with any client and account, but since this is already set up for this
particular example, it makes things a bit more easy.
2. Using the admin account, fetch a new access- and refresh token pair
using any grant type. We will be using the password grant:
curl --data "client_id=admin-cli&grant_type=password&username=<admin_
3. Grab the access_token value from the response and perform a refresh
grant using this access token:
curl --data "client_id=admin-cli&grant_type=refresh_token&refresh_
4. You will now have a response including a new access- and refresh token
This unexpected behavior can be solved by either checking the "typ" claim
to be set to "Refresh", or, when time allows, using a different signing
secret for the access- and refresh tokens. I would prefer the latter
Thanks in advance,
I posted it already on the [keycloak-user] mailing list without a reply.
I want to run the keycloak server on a tomcat 8/9 instance. For that, I found an article https://reachmnadeem.wordpress.com/2015/01/14/deploying-keycloak-in-tomcat/ <https://reachmnadeem.wordpress.com/2015/01/14/deploying-keycloak-in-tomcat/> which describes, how to deploy keycloak on tomcat. Unfortunately it describes the version 1.1.0-Beta2, which is very old. It his web.xml a filter is with the name org.keycloak.services.filters.ClientConnectionFilter referenced. When starting the context on tomcat8/9, a ClassNotFoundException is thrown.
I have been unable to resolve the dependency in 1.1.0-Beta2 and 3.2.0-Final, too.
The name of the class intends that it is from the keycloak project. Can anybody post me a hint, where to find this class? I also asked the author of the above article, but until now he did not answer.
> Anfang der weitergeleiteten Nachricht:
> An: keycloak-user(a)lists.jboss.org <mailto:firstname.lastname@example.org>
> in order to run a keycloak-server on tomcat, I am searching for a class named org.keycloak.services.filters.ClientConnectionFilter. Could anybody send me a hint where to find it? Could anybody share a link to a documentation of this filter?
> https://britzke.berlin/ <https://britzke.berlin/>
> keycloak-user mailing list
Sorry for the long message, but I tried to highlight some important bits of
what I'm doing :) I'm not done yet, so here are the ideas I'm considering
I'm almost done with the initial changes to get the user managed access
bits of UMA.
Basically, this is about providing the backbone in order to support use
cases such as resource sharing, authorization flows and users capable of
managing their own resources.
A really interesting feature set for IoT use cases as well those looking
for giving more privacy control to their users (not only the security).
In a nutshell, we have now a new entity in our model:
This entity holds all information we need in order to know which
resource/scope was requested and when. Plus any additional claims the RS
wants to associated with a permission request.
This entity will allow us to perform:
* Queries to obtain the person/entity that need to approve a permission
* Queries to obtain the person/entity looking for access
* Queries to obtain the resources/scopes being requested
* For how long a permission is valid
* Which claims (contextual data pushed by the RS when issuing a permission
ticket) are associated with a permission request and need to be approved by
the owner and enforced by the RS.
As you know, the UMA flow starts with a client trying to access a resource
protected by a RS. At this moment the RS issues a *permission ticket* which
then is returned to the client to give him a chance to obtain the RPT
(token with the actual permissions) from the AS.
Two things here:
* Only resources that support "user/owner managed access" are supposed to
have permission tickets persisted
* The RS can set additional claims to the permission ticket in order to
provide contextual data for policies and let them take any decision
considering this data. E.g: I need to withdraw some money from my wife's
bank account, but she just want to let me do it if the amount is <= $100
Basic sharing will be based on a simple approval/reject of a permission
request (permission ticket).
Please, let me know what you think.
We have configured HAProxy as our load balancer and keycloak (3.0) as our SSO. We have configured the keycloak domain and secured our wars with keycloak for our web application.
In Haproxy we have provided the "forwardfor" option which introduces the header parameter -"X-Forwarded-For" and configured keycloak as given below to accept the header parameter as given below.
"<http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true"/>"
But still the redirect from keycloak is going to HAProxy machine and not to backend servers with our webapp.
Is there any help you can provide here
how can I add a new dependency to the keycloak modules/system/layers/base
I need to add org.apache.commons:commons-collections4 for the PatriciaTrie
which I need for
my BlacklistPasswordPolicyProvider: 
I tried adding a dependency to keycloak/dependencies/server-all/pom.xml but
I still get
CNFEs if I try to run the server from the dist-build.
Caused by: java.lang.ClassNotFoundException:
org.apache.commons.collections4.trie.PatriciaTrie from [Module
"org.keycloak.keycloak-server-spi-private" from local module loader
@282ba1e (finder: local module finder @13b6d03 (roots: