I am currently looking at improvements in the Content Security Policy
In our deployment, we have security requirements stating that a CSP
header should be used and inline scripts, styles and resources should
be blocked. For example by setting a CSP value like default-src
Such a policy breaks Keycloak's manipulation of the browser history
implemented in the BrowserHistoryHelper, since the
The simplest workaround is to also inject a nonce value or SHA hash of
the script to the existing CSP header.
However, while implementing this, I found that a CSP nonce in general
would be nice to have available in any template context. This will
also make it easier to migrate the default Keycloak theme to support
stricter security policies.
An example implementation can be found here:
Would you be interested in merging a change like the one above? If
not, what is your view on how to allow stricter content security
Tests and documentation is currently missing, but I will add both if
this is something you would consider merging.
As a note, I have also done some work on supporting a strict CSP value
for the default theme. But there are some issues with included 3rd
party scripts which must/should be resolved. Let me know if you want
more details regarding this.
We have a use case where we would like to store additional meta-information for roles. This come from our IAM-requirements, that say there is a single responsible person for a role or that roles give access to data with different classifications. One way to store this kind of information would be to introduce role attributes to client and realm roles, basically similar to user or group attributes.
For us, it would be sufficient to have this information purely as metadata, i.e. we would only read it through the audit log to inform the responsible person about role assignments if a role with a certain classification is assigned. In contrast to that, you can add group und user attributes to a token using user attribute mappers and the client application can extract this information from the token and act on it.
WDYT? Does anybody else have similar requirements? Would you need role custom attributes also in the token? I can imagine that it gets kind of difficult to identify where attributes come from, once there are user, group, and role attributes, possibly with inheritance/composition.
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn
in a customer project we use keycloak and need a SCIM (System for
Cross-domain Identity Management) API.
Currently we write a wrapper API and a custom endpoint providing the SCIM
functionality. We wrote a extension of the UserEntity, UserModel and an
extension of the JpaUserProvider.
This strategy seems not ideal and the nicest way is to add this extensions
to Keycloak. This is already suggested in
Is anybody out there who can guide me, what coding would be necessary to
contribute the SCIM functionality?
Currently I think we have to:
- extend the UserEntity with all SCIM attributes. This will result
in additional tables/entities for complex attributes e.g. Address, Name,
- extend the UserModel to povide the additional attributes
- implement the new SCIM endpoint /Users
- make the additional attributes available via Admin REST API
- extend views to be able to edit SCIM user attributes using the
- All the above again for the Groups endpoint
This also seem to be major changes. To big for one Pull Request. How do you
like to handle this?
Hello Keycloak team,
has anyone encountered some performance issues after upgrading 3.4.3 to 4.x
Today I noticed a performance regression while preparing an upgrade
from Keycloak 3.4.3.Final to 4.3.0.Final in our staging environment.
In our test environment, we have around ~100k test users stored in a
postgres-backed database. When we started the server with the new Keycloak
version, the migration went through, and everything looked fine at first,
but when we tried to browse the list of users via the admin-console, we
noticed that the CPU and memory consumption of the server increased
significantly, up to a point where Keycloak crashed with an OOME.
All previous Keycloak versions including 3.4.3 were very modest with their
memory requirements and quite happy with ~1g heap.
However, that seems to have changed in Keycloak 4.3.0 - there we needed at
least 4g to prevent Keycloak from crashing with an OOME.
Furthermore, we noticed that the response times for browsing the paginated
user view increased significantly as well:
In Keycloak 3.4.3 the average time to load a user page is ~80ms. In
Keycloak 4.3.0 (and older versions >= 4.0.0.Beta1) the same operation takes
~7 seconds for a test realm with just 10k users.
In the test realm with 100k users, the time to load a single page in the
users listing was 66 seconds for version 4.3.0, on average - compared to
quite stable 80ms in 3.4.3.
The database query that is executed by Keycloak 4.3.0 runs in ~1.5 seconds
for 100k users, so I assume the processing logic in Keycloak is the culprit.
The problem of long load-times can be reproduced with the Keycloak docker
images and the in-memory database. I also created a small example project
that creates some users with just a few attributes in a docker based 3.4.3
and 4.3.0 Keycloak environment with a Postgres database to reproduce the
We are running Keycloak 3.4, and we noticed that for some SAML clients, we get a HTTP 405 error.
This happen for example with client having a local login and a button to login with SSO. For example Appdynamics does that (to name only that one). They perform a POST request to the Keycloak SAML endpoint of the configured client, leading to a HTTP 405 error.
The fact that they perform a POST to load the Keycloak login page is discussable, but how to counter this behaviour on Keycloak client's configuration side?
Thank you in advance for your guidance.
As part of my Keycloak implementation, I would like to offer user self service, e.g. change password.
I do not wish to theme the built-in user account dashboard, but instead build the functionality directly into our website.
We are already using the Admin API for user administration, but as I understand it, it would not be appropriate to use this for actions which are actually being carried out by the end user. The auditing would be incorrect, and certain functionality is unavailable anyway - for example, whilst we could set a new user password via the Admin API, we would have no way of verifying that the existing user password is correct (we want the user to provide existing and new, as per the user account dashboard).
As such, is the correct approach to this for us to extend KeyCloak with a set of custom REST endpoints to be called by an end user rather than an admin? They will be authenticated at this point so we will be able to pass down their access token for the authentication.
If so, I assume I should be following the instructions under "Add custom REST endpoints" detailed at the following URL?
Extending Server | Keycloak Documentation<https://www.keycloak.org/docs/3.0/server_development/topics/extensions.html>
This is a very powerful extension, which allows you to deploy your own REST endpoints to the Keycloak server. It enables all kinds of extensions, for example the possibility to trigger functionality on the Keycloak server, which is not available through the default set of built-in Keycloak REST endpoints.
As part of KEYCLOAK-7416 <https://issues.jboss.org/browse/KEYCLOAK-7416> I need to gather information about the device for each session. We are aiming to produce this page: P55-Device-Activity-3 <https://redhat.invisionapp.com/share/3JFODIWB2MR#/screens/274677542>. However, this requires more data about the client device than is carried in a user-agent header such as this: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7”.
I’m thinking we will probably need to use a digital fingerprint library, probably executed on the client. Does anyone have a recommendation of a good library? Or have a better suggestion?
Thanks again for maintaining Keycloak.
I would have a question:
- We are running Keycloak 3.4
- We did setup a Keycloak standalone HA cluster (3 nodes).
- As well we did connect those nodes to an Infinispan cluster.
All is running fine. However the trouble comes when we want to update the Keycloak Nodes.
Updates can be either on themes or modules.
We update for example a module, e.g a new user federation SPI, with Ansible.
Then we restart the Keycloak nodes one after another. The restart is required so that a Keycloak node can register the new module.
All is correct except that users need to login again after the reload has been performed.
Is it something we can prevent happening? it is a strange behaviour, since we rely on Infinispan for sessions cache...
Is there another local cache to be configured in Infinispan to avoid users to re-login after restarting Keycloak?
It would be very helpful if you could give us a direction to investigate as rolling out several updates per day would lead to several re-logins from a user perspective.
We import some data to Keycloak programmatically using the java admin client. Thereby, we experience some problems. Some of the functions to call do not return to the caller. Tracking down for an example brought us to the RolePoliciesResource class which we use in the version of 4.3.0.Final (same as our Keycloak deployment).
In a simple scenario we simply tried to create a 100 policies and find them afterwards using the two provided functions (create and findByName). This works perfectly fine for exactly 50 policies and then you don't get a return with the 50th call (starting from 0).
Has anybody experienced issues with running into loops using the java admin client or knows a resolution to this problem?
Mit freundlichen Grüßen / Best regards
Tel. +49 30 726112-284 | Mobil +49 1520 9198324