TLDR; Per client authentication flows? Client can be configured to
override realm authentication flows.
I'm specing out how we will replace OSIN (openshift oauth server) with
Keycloak. One issue is that each oauth client in OSIN can specify the
authentication flow they want. Non-browser clients like the 'oc' cmd
line tool want a 401, challenge-based protocol...Web console,
obviously wants HTML. They All OSIN clients use the OAuth
auth-code-grant irregardless if they are non-brwoser or browser
clients. Keycloak assumes this oauth grant type is browser based and
expects non-browser clients to use Resource Credentials grant or
client credential grant. OSIN does not support this and we (keycloak)
have to be backward compatible.
I think it would be pretty simple to add the ability to override
authentication flows per client. I don't think this would be a
one-off for OSIN as we could use it to implement other non-browser
input protocols. For example, I wanted to be able to have a
text-based auth flow for command line logins. I think this could be a
way to implement that.
I'm pretty new to Keycloak development and at the moment I'm trying to develop some demo extensions to learn how SPI's an stuff like that work in Keycloak.
My Question is:
Is there a util- or helper-class which I can use to generate an secure token string in my extension code (pretty much the same as an oauth access or refresh token)?
I was not able to find something In the Keycloak code, but maybe there is something like that.
Thank you in advance,
We are about to finish the initial round of changes to make Keycloak
Authorization Services compliant with UMA 2.0.
One of the main changes is related with a new OAuth2 Grant Type introduced
by UMA 2.0  and how it will be used as a replacement for both
Entitlement and Authorization API. In UMA 2.0, there is no Authorization
API anymore, thus it will be removed on future versions of Keycloak.
Regarding Entitlement API, it will also be removed in favor of the new
grant type, but in this case we are using some extensions to UMA grant type
to provide the same functionality. One of the objectives of this change in
particular is to have a single endpoint from where permissions can be
Another important change is also related with UMA where end-users should be
able now to manage their own resource and permissions via Account
Management Console. Users would be able to access a "Resource" page from
where they can:
* See the resources they own
* Check for pending permission requests (waiting for the owners approval).
As well options to grant/deny the request.
* Check for all "shared resources" / granted permissions. As well options
to revoke permissions
* Select an user they want to grant access to a resource and/or scope
Other changes are related with the Policy Enforcer, Authorization Client
Java API and configuration. For these areas in particular changes are
minimal, specially regarding policy enforcer configuration.
These changes are targeted to Keycloak v4 and we'll be updating docs
accordingly, specially on how to migrate to the new version.
I am configuring an OpenShift v3 identity provider on Keycloak using an
Ansible playbook. I have created the identity provider successfully.
After filling in my OpenShift username and password I see an "Unexpected
error when authenticating with identity provider" error from Keycloak. This
is due to the self signed certificates of the OpenShift development cluster
I am using (using oc cluster up).
I am looking for an option to ignore these errors when in a development
I have read about the 'disable-trust-manager' option, from what I
understand this can be set in development environments to avoid these
errors. However, I am not fully clear on how to use it and how to configure
it. Can this option be set using the REST API?
Any help would be greatly appreciated.
Do we need a development image that builds from master. A Dockerfile
- derives from jdk8
- installs git client
- install maven
- git clone https://github.com/keycloak/keycloak
- mvn clean install -Pdistro -DskipTests=true
- unzip distro into /opt/keycloak
We have a couple of teams asking for something like this within Red
Hat as I'm guessing they don't want to deal with running maven
themselves. Does that sort of flow make sense?
We're working on upgrading to Keycloak 3.4.3. We hit a weird issue where
it looks like some backwards compatible code isn't working right in the
client adapter. We found this block which seems suspect
It looks like the values for redirectUri and redirectUriParam are actually
backwards. We see the session_state query param in the value of
redirectUri not redirectUriParam, and this causes the next check for the
values being equal to fail.
I noticed that in the new version of keycloak there's a landing page that a
user receives when they're not logged in (I guess?) for a list of actions
to perform. This page doesn't make much sense to me as a user, I just want
to see my action since I only have one to do ever.
I see this commit introduced it
I can't see the linked JIRA ticket (i guess it's secure?). I don't see a
way to turn off this page. Is that on purpose?
We are having an issue where we see some of the entries getting deleted from user_entity table when we start our keycloak. After days of debugging we don't know why this is happening. We are planning to buy commercial support for this issue. Looks like only the Red hat versions of keycloak has commercial support. We are using open source verison 1.9.8. Can someone point me in right direction on where we can get commercial support for open source versions.
We are using offline tokens for our clients, when we login in initially we give tag "offline" which gets us refresh and access tokens .
1) We use 1.9.8 version of keycloak. We have configured our keycloak realm to set revoke refresh tokens, which means refresh tokens are revoked once used for refreshing.
2) We have 2 keycloak clusters.
3) Our client initially pointed to KC1 which is old environment .
4) Now the KC1 database and certs are migrated to KC2 our new environment .
5) Client refresh token which it got from old env works on new env, for some clients where as it does not work for others.
6) What we have found is, we initially stop the keycloka service, migrate data and start it again. Once migration is done, I check all the tables have right data, which looks good but after restart we see that it is synching user_entity table with ldap and 3 of the users are being deleted from user_entity and user_attribute table and hence any tokens associated with these 3 users are being deleted from the Offline_client_session and Offline_user_session . At this point I am not clear why it is deleting even though I see ldap has it.
Any suggestions or help is greatly appreciated.