Alex is working on https://issues.jboss.org/browse/KEYCLOAK-11293 and
I would like to double-check if we're ok with the requirements
The new account console needs to be built from Maven. The build also
needs to be able to build the RH-SSO version.
There's no way to build the new account console from Maven and that's
a requirement that has an impact on testing and distribution.
- Build the new account console as part of the default distribution
(Keycloak and RHSSO build)
- The Maven build should be based on the steps described in the README
- Have all the artifacts from the new account console in the same
Keycloak/RHSSO server distribution
This Jira can also incorporate
https://issues.jboss.org/browse/KEYCLOAK-5392 if possible, but that's
Comments are welcome, in the same Jira or here.
Google (and probably others, are there any?) keeps insisting on returning
random versions of the documentation when searching.
To improve on this I've made two changes to the documentation:
* Add a version to the top of the documentation, including latest or link
to latest if not the latest
* For the latest version, all cross-links within the documentation now uses
/latest/ in the url, while in the past it had the version in the link
One minor issue is that we need to build the documentation twice when doing
a release, but that's not a big deal. As we need to build the
version/archive build as well as the latest build separately. When building
docs just include the -Platest to build the latest, by default it will
PR for this is here:
This is how it looks like:
Do you have any idea if this feature could land in keycloak ?
For us, it could limit *a lot* the number of themes we have to maintain. We have a lot of login page where app developer want to put link to help page or other informational notice (or descriptions, logos...), but keycloak lack a way to add it by client (except by a new theme each time). We play a little with client description but it is not really elegant.
I see attributes for clients as a way to better customize keycloak page by clients (attributes would need to be accessible from template obviously).
Recently I had a PR about the option to define additional URL parameters to be passed along with the login URL. It is a requirement in some of our enterprise applications, and currently many of our clients do some kind of hacking to achieve this.
How does the community think about it?
Thanks for the feedback.
I am trying to configure an authentication flow that restricts login to a particular group but initially when I overrode the public client authentication flow, we got this error which indicates the user object was null. Initially script did a user.hasRole, but now does isMember. I only had the script as part of the new flow.
09:51:07,319 ERROR [org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator] (default task-15316) org.keycloak.scripting.ScriptExecutionException: Could not execute script 'restrict-public-db-admin' problem was: TypeError: null has no such function "hasRole" in <eval> at line number 31
I then added in these flows which now authenticate me, but the script doesn't even execute now and always gives me a token.
Cookie - Alternative
Identity Provider Redirector - Alternative
Username Password Form - Required
Script - Required
I setup the following
New role: db-admin. No users have been assigned to this role
New group: db-admin. Assigned db-admin role
I am a member of the group db-admin
New authentication flow: restricted-public
Script: restrict-public-db-admin which only passes authentication when user is a member of the group db-admin
New public client: restricted-public. Authentication Flow Overrides set to restricted-public authentication flow
We have confirmed that -Dkeycloak.profile.feature.scripts is enabled, as per https://www.keycloak.org/docs/7.0/server_admin/#executions
We followed this example https://stackoverflow.com/a/54384513
Are we implementing/using the authorisation flow override incorrectly? How do I restrict a client to users in a group only?
I propose we deprecate the WildFly adapter container image. I believe very
few if any use it as it is still stuck on WildFly 15 and no-one has
In general users should modify containers to include adapters, rather us
providing re-distributed versions of containers.
Specifically, we need to discuss filtering and pagination as it relates
to the "Applications" page:
The current design allows filtering by name and application type.
However, Stian has pointed out that some customers will have thousands
of clients. So this design might be unworkable.
I don't want to go too far into the weeds right now because I want to
understand the problem better first.
What is the use case when customers have many, many clients?
How common is it to have many, many clients for a single user?
What do those clients look like?
What could we use to filter on? The information we currently have on
the client side looks something like what you see here:
# This is Yoshiyuki Tabata writing on behalf of Takashi Norimatsu.
I've used the keycloak (4.8.3.Final) in clustering environment and managed about 500k user sessions for Offline Access. I've encountered the following 2 problems :
(i) Still valid User/Client Session for Offline Access are lost, meaning lost on the infinispan cache (offlineSessions, offlineClientSessions) of every keycloak node in the cluster.
(ii) Such the lost User/Client Session for Offline Access are left on DB everlastingly.
As for (i), it seems to be reasonable for ordinal SSO UserSession/ClientSession. However, it seems not to be reasonable for persisted User/Client Session for Offline Access on DB.
As for (ii), the size of unused resources on DB seems to increase so that it is the problem.
I think such the problems seem to occur in the following clustering environment :
(a) Infinispan setting owners=1 for offlineSessions and offlineClientSessions
At least one keycloak node is down.
The actual case has been reported on https://issues.jboss.org/browse/KEYCLOAK-11829.
(b) # of keycloak nodes is larger than the value of owners for offlineSessions and offlineClientSessions
The keycloak nodes are down more than or equal to the value of owners simultaneously.
(c) # of keycloak nodes is equal to the value of owners for offlineSessions and offlineClientSessions & The size of the caches of offlineSessions and offlineClientSessions are bounded.
The active User/Client Session for Offline Access is evicted from the Infinispan cache.
I think the current workaround of these problems is as follows :
* Shut down all keycloak nodes.
* Reboot one keycloak node.
To do so, rebooted keycloak node recovers all of User/Client Session for Offline Access from DB to infinispan cache.
However, as reported on https://issues.jboss.org/browse/KEYCLOAK-11019, downtime tends to be long in the situation that vast number of User/Client Session for Offline Access exist in DB, and it seems not to be acceptable.
To get around it, what do you think about the following idea?
* If some User/Client Session for Offline Access are searched on the infinispan cache and not found, try to search it on DB.
I know it seems to increase disk access, so needs to consider this point.
Yoshiyuki Tabata (On behalf of Takashi Norimatsu)