using the same master client to manage multiple realms
by Gideon Caranzo
Hi All,
I'd like to propose a feature wherein you can assign the same master client
to manage multiple realms.
Right now we are using composite roles for some api client credentials. The
issue we have is that if we need to assign or remove roles, we need to
update all realm clients. Also, if we add a new realm, we also need update
our composite roles and assign roles needed for the realm client.
So basically, in our case, we just need one client since all the realm
clients will have exactly the same assigned roles.
This will also improve performance if you have large number of realms since
you won't have a scenario wherein one composite role ends up loading all
roles for each realm client.
This can be implemented by having an option to specify the master client
when creating a realm. If a master client is specified, it will be created
or reused if it already exist.
Since this is only an option, the existing behavior will still be there
(create a master client for the realm).
I've created a proof of concept and got it working. It think this should be
feasible.
Let me know what you think. I'll be happy to submit a PR for this. Thanks.
Best regards,
Gideon
6 years, 2 months
Can not unstage/stash vertical-nav.component.ts
by Karol Buler
Hello guys,
I have a git problem with this file:
themes/src/main/resources/theme/keycloak-preview/account/resources/app/vertical-nav/vertical-nav.component.ts
I can't unstage or stash it. Very weird, but I can't even change the branch locally. Any ideas? Someone had the same problem?
BR, Karol
[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED.
Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.
6 years, 2 months
Keycloak realm certificates be passed to Knox?
by Jamie McDowell
Hi,
I am trying to find a way to be able to retrieve a realm certificate which can then be passed to Knox. When a realm is deployed, it generates a new public key, therefore any Knox Configuration would have to be updated with new corresponding certificates.
Knox is used to decrypt singed JWT's.
Is this something that can be achieved?
Thanks
Jamie
6 years, 2 months
Make user account tabs configurable?
by Craig Setera
I asked over in the users list if this was possible and I was pointed to
creating a custom theme. However, this strikes me as something that others
might want to be able to do. Would this be something of interest as a PR
if I were able to put something together? I can't say whether I'm actually
in a position to do that or not, but before I even try it seemed worth
asking whether it was of interest. If there is interest, does anyone have
any suggestions on how they would want this to be built? Conceptually, it
would be nice to have switches somewhere in the realm configuration
admininstrative UI that can turn those tabs on/off.
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
6 years, 2 months
Re: [keycloak-dev] Column Sorting
by KevinO
Question about the API for ordering resources. There are a couple of
different ways that ordering can be handled.
Option 1
auth/admin/realms/external/groups?first=20&max=20&search=test&sort_by=+group
auth/admin/realms/external/groups?first=20&max=20&search=test&sort_by=-group
Option 2
auth/admin/realms/external/groups?first=20&max=20&search=test&sort_by=group:asc
auth/admin/realms/external/groups?first=20&max=20&search=test&sort_by=group:desc
Option 3
auth/admin/realms/external/groups?first=20&max=20&search=test&sort_by=group&order_by=asc
auth/admin/realms/external/groups?first=20&max=20&search=test&sort_by=group&order_by=desc
I don't think multi-column sorting is necessary, so I skipped that option.
Let me know if I missed an example of sorting that has defined how to do
sorting or if there is an alternative to the three options I've given.
Kevin
On Wed, Oct 3, 2018 at 11:04 AM KevinO <oneal.kevin(a)gmail.com> wrote:
> I 100% agree with pagination on the server side. I'd like to start with
> the Groups page. I'm assuming the API will have to change. I'll use the
> Users page as a template.
>
> On Wed, Oct 3, 2018 at 9:38 AM Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> Not 100% sure what the current status is. Some are paginated server-side,
>> some on client-side, some are missing pagination. Users are paginated on
>> server side for sure.
>>
>> For a large portion of tables though pagination has to be done on server
>> side (users, clients, roles, groups, etc. can all have large number of
>> entries). With that in mind I think to keep things consistent we should do
>> pagination and sorting on the server side for everything.
>>
>> On Wed, 3 Oct 2018 at 15:57, KevinO <oneal.kevin(a)gmail.com> wrote:
>>
>>> Stian, could you point me to a table that currently has server side
>>> pagination? And is there currently an effort to make all tables have
>>> server-side pagination?
>>>
>>> On Mon, Oct 1, 2018 at 8:05 PM KevinO <oneal.kevin(a)gmail.com> wrote:
>>>
>>> > Is there any opposition to me adding column sorting? There is the
>>> ticket
>>> > for it:
>>> > https://issues.jboss.org/browse/KEYCLOAK-4676
>>> >
>>> > I've tested a solution that uses standard angular ordering. I don't
>>> want
>>> > to update all the tables if this is a feature that is not wanted.
>>> >
>>> > Here is what one option of sorting would look like using Font-Awesoms
>>> > chevron as the clickable item.
>>> > [image: image.png]
>>> > [image: image.png]
>>> >
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
6 years, 2 months
Problem with login using Keycloak + Spring Security Adapter in Multi Tenancy mode
by Mattia Bello
Hello,
i am using keycloak with the keycloak Spring Security adapter and a multi tenancy configuration.
I need to manage the following use case:
I want to use only a single login page where user must enter the realm, username and password.
I can't use the standard keycloak login page because keycloak needs to know the realm before showing the relative login page.
How can I do that?
Does exist a way to pass to keycloak these three fields in a single form ?
Thank's to all.
Mattia Bello
Developer
[Descrizione: cid:image001.jpg@01CEB308.188717E0]
Horsa S.p.A.
Via Cadorna, 67
Vimodrone (MI)
Mobile (+39) 347 37 64 875
www.horsa.it<http://www.horsa.it/>
6 years, 2 months
large number of realms causing slow api calls
by Gideon Caranzo
Hi,
I'm encountering slow api calls after reaching 1700 realms. I profiled it
and found that role checking is causing the issue particularly
*KeycloakModelUtils.searchFor(RoleModel
role, RoleModel composite, Set<String> visited)*.
I'm using a user with "admin" role to call get realm API. And since i have
1700 realms, "admin" role now have about 30K composite roles under it. The
line below from KeycloakModelUtils.searchFor() will load all 30K composite
roles causing the slow down.
*Set<RoleModel> compositeRoles = composite.getComposites();*
Is there a way to avoid this issue? Or is it possible to fix the code such
that it will do a database query instead of searching in memory to check if
the role exist?
Best regards,
Gideon
6 years, 2 months
Which part of keycloak code is responsible for processing standalone.xml ?
by Lukasz Lech
Hello,
Could you please point me in the right direction?
I'm trying to find out, why the providers map in DefaultKeycloakSessionFactory doesn't contain value for a provider, after I provide my own implementation? I have a configuration that works as expected in standalone desktop version, but doesn't work inside Docker.
My researches lead me to org.keycloak.Config.getProvider(), so I've checked out the whole keycloak source, to find out, who is calling init() (I expect that there lands the parsed standalone.xml), but I've found out only org.keycloak.services.resources.KeycloakApplication, which is, I guess, not used in standalone mode?
Where should I start my research? Do https://github.com/keycloak/keycloak contains all relevant sources, or I need to checkout more?
Best regards,
Lukasz Lech
6 years, 2 months
Confusion about standalone.xml in docker image jboss/keycloak.4.5.0.Final
by Lukasz Lech
Hello,
I'm finally confused about docker image jboss/keycloak.4.5.0.Final and config files there.
I've applied changes to /opt/jboss/keycloak/standalone/configuration/standalone.xml but they've take no effect. I've checked that server starts in standalone mode, positive. After many tries I've made a mad step, deleting that configuration file (in my Dockerfile, not in running container!).
To my full surprise the keycloak started without any warning.
What is the purpose of that configuration file, then? If that file is not used, what configuration file is used? I can delete standalone_ha.xml as well as the whole /opt/jboss/keycloak/domain/configuration, it doesn't disturb the server in any way.
Best regards,
Lukasz Lech
6 years, 2 months
Duplicated code in client-registration-cli and admin-cli
by Sebastian Laskawiec
Hey guys,
I just noticed that both modules mentioned in the subject contain lots of
duplicated code. Since both modules are pretty similar (from the code point
of view), maybe we should collapse them into one?
Thanks,
Sebastian
6 years, 2 months
