October 2019 - keycloak-dev - Jboss List Archives

by Jon Koops

Hi all, I've created some pull requests and tasks for moving towards standardized Promises instead of Keycloak's own custom implementation in order to start a discussion about how to move forward. There has already been some discussion about plans to migrate away from the current situation in KEYCLOAK-9346 <https://issues.jboss.org/browse/KEYCLOAK-9346>. I believe the first order of business to start migrating towards a better place would be to start informing Keycloak's users about the change. In order to do so I propose to make the following changes: 1. The documentation of the JavaScript Adapter should reflect the preference of using the native promises. We can accomplish this by updating the examples used and providing additional documentation of the promiseType field. 2. Users that are currently using Keycloak should be informed that standardized promises are preferred and that they should move away from the current implementation. In order to do so a deprecation warning should be logged in the console with instructions on how to migrate their existing code. I've created the following issues and pull requests for this: *Updates to the documentation preferring promiseType native* - https://github.com/keycloak/keycloak-documentation/pull/742 - https://issues.jboss.org/browse/KEYCLOAK-11436 *Updates to the adapter to inform users of the deprecation* - https://github.com/keycloak/keycloak/pull/6318 - https://issues.jboss.org/browse/KEYCLOAK-11435 Furthermore I would like to start a discussion on these changes and how to move forward after. Feedback on this is greatly appreciated! Regards, Jon

4 years, 6 months

4
11
0 / 0

Password Reset FTL Template

by Stuart

Hi All, I'm looking to extend the Password Reset code so I can include a setting for choosing the FTL template to use during the authentication flow. I've managed to do it with the Choose User provider by calling createForm if a template is set.. String ftl_template = getConfigString(config, CONF_FTL_TEMPATE_NAME, null); if (ftl_template == null) { Response challenge = context.form().createPasswordReset(); context.challenge(challenge); } else { Response challenge = context.form().createForm(ftl_template); context.challenge(challenge); } However, I can't find/work out where the Password Reset provider sets the form for the challenge. It seems the authenticate method just sets context.success() after setting the 'required action' in the authenticationSessison... Can anybody point me in the right direction? Thanks, Stuart

4 years, 6 months

2
1
0 / 0

Proposal for new hostname provider, supporting different front/back channel URLs for adapters (and third-party libraries)

by Stian Thorgersen

See https://github.com/keycloak/keycloak-community/blob/master/design/hostnam... for a proposal of a solution that would make it easier to configure Keycloak as well as add support for different front/back channel URLs both for Keycloak adapters and third-party libraries.

4 years, 6 months

2
3
0 / 0

FW: Regarding Keycloak master realm

by Vaibhav M

Hi team, After changing Theme to base on the keycloak admin login(master realm), we cannot able to access the keycloak for master realm. Please help. [cid:image003.jpg@01D57A11.E52D94A0]

4 years, 6 months

2
1
0 / 0

Reminder - this list is purely for Keycloak development discussions

by Stian Thorgersen

The keycloak-dev mailing list is purely for discussing design and implementation of new features and enhancements to Keycloak. For questions and help with using Keycloak please use the user mailing list. This also applies if you are extending Keycloak with custom providers or themes. Unless you are participating with input on new features or are planning to contribute to Keycloak you should most likely not post to the keycloak-dev mailing list, but rather use keycloak-user mailing list. I encourage the wider community to help others out, but ask that you do not answer emails sent to keycloak-dev that should have been sent to keycloak-user.

4 years, 6 months

1
0
0 / 0

Getting User Details from a Token (Node.js Adapter)

by Evan Shortiss

Hey folks, Does the Node.js module have documented features for accessing token properties? My particular use case is that I'd like to retrieve the user's username. I can access it via *req.kauth.grant.access_token.content.preferred_username* but it feels like this is an interface that could be changed since it's not documented AFAICT. Is there a recommended approach for doing this? Is there any plan to add features such as *req.kauth.getTokenContent()* or similar? Thanks -- Evan Shortiss Technical Marketing Manager Red Hat NA <https://www.redhat.com/> Los Angeles evan.shortiss(a)redhat.com M: +1-781-354-2834 IM: evanshortiss <https://www.redhat.com/>

4 years, 6 months

2
1
0 / 0

Override Refresh token lifespan per client

by 田畑義之 / TABATA，YOSHIYUKI

Hello, In cloud-native application systems, there are various client applications and those applications are not the same level (i.e. security level, alliance level, development level). And generally, a realm manager or a resource server manager wants to set a different timeout to tokens (access token/refresh token) per client. For example, for a client which wants to minimize authentication considering usability, we set the timeout of a refresh token longer enough. For a client which wants to refresh tokens periodically to mitigate the token interception attack, we set the timeout of a refresh token according to the client requirement. Currently, the timeout of an access token can be overridden per client. However, the timeout of a refresh token (including offline token) cannot be overridden per client. We'd like to be able to override the timeout of a refresh token (including offline token) per client. We'd already tried to implement this just like access token lifespan overriding, and create JIRA ticket and PR, but Stian recommended that we should discuss this use case and how to implement in ML, so I opened this thread. For single sign-on purpose, it is useful to share sessions among clients in a realm. However, when we implement this, sessions are no longer shared among clients depending on the settings. And this is useful for API management purpose because, for API management purpose, tokens (= sessions) are associated with each client, and should be managed per client. What do you think about this feature? I would be very happy if you community gives any kind of comment on that. JIRA ticket is the following. https://issues.jboss.org/browse/KEYCLOAK-10907 PR is the following. https://github.com/keycloak/keycloak/pull/6309 Regards, Yoshiyuki Tabata Hitachi, Ltd.

4 years, 6 months

4
10
0 / 0

Using export and import for backup and restore

by Sebastian Laskawiec

Hey, In the next few days we'll be looking into implementing backup and restore functionality for the Keycloak Operator. One of the options we are considering, is using an export/import functionality. An Operator could export all realms into a JSON file and put it somewhere in a Persistent Volume. I was wondering, what do you think about this approach? Are there any guarantees around export/import functionality (especially with the regards to its format)? Also, would it work for exporting JSON file from Keycloak and importing it to RHSSO? Thanks, Sebastian

4 years, 6 months

4
7
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev October 2019