Does refreshing the token extend the session?
by Chris Stephens
We have an angular app and are using the keycloak js adapter. We refresh the token if it expires within 5 seconds. We also refresh the token every 15 minutes. Our users can jump in and out of our angular app. When they come back in the initialization logic goes to the key cloak server to make sure they are logged in. What our QA team is telling us is after 2-3 hours of clicking on the site the user is no longer logged in, but some of the calls with bearer tokens still go through. We need to know if refreshing the token or doing the 'check-sso' extends the session.
Christopher Stephens
8 years, 1 month
Not able to create user if firstName is read-only
by Byte Flinger
I have setup a keycloak with a PostgreSQL db and also included ldap as user
federation. I tried setting the firstName (mapped to cn attribute) to
read-only but I realised that if one does that, you cannot create a user,
trying to add a new user fails.
I expected that setting the attribute read-only meant the user is not able
to change it on the account management page however an admin should be able
to do so (at least when creating the user since that makes for a broken
flow as you have to make it writable before creating a new user and than
back to read-only again every time).
Is this a bug? I have not tested registration but suspect that it won't
work either.
8 years, 1 month
Authorization services are inefficient in Evaluation UI and in Evaluation API.
by Ushanas Shastri
Hello,
We have an instance of KeyCloak, setup with SQL Server as the database.
For authorization, we have about 58 resources, 450 scopes and around 500
scope based permissions.
We face the following issues:
a. In the Evaluation UI in the administration console, all drop downs for
resources, scopes etc. are all populated on page load. In each drop
down, on inspecting the network tab, it appears that for populating drop
downs, the amount of data returned is much more than what the drop downs
need. For e.g. Scopes drop down should contain data only for the 9
scopes, but the service returns all resources and permissions as well, I
think. This makes the page load extremely slow.
b. When we evaluate a permission via API or via the evaluation UI, it
takes several minutes to check permissions for one resource and scope,
which is pretty slow.
c. All Administrative UI pages, such as list of resources, scopes and
permissions get slower as we add more. There isn't any paging on any of
them, and they load all content on page load.
We have tried to replace SQL Server with MongoDB but have not seen any
major improvements.
Is there a way to make evaluation API faster? I believe the administration
UI issues will require code changes. Should I file a JIRA?
Regards, Ushanas.
8 years, 1 month
Creating an user by rest api
by Celso Agra
Hi all,
I'm configuring keycloak to perform some actions with rest api. I'm trying
to create an user using the register action (like register page), but when
I call the rest api:
curl -H "Accept: application/json" -H "Content-Type:application/json" -X
> POST -d "{'username' : 'bburke', 'enabled': true, 'email' : '
> bburke(a)redhat.com', 'firstName': 'Bill', 'lastName': 'Burke',
> 'credentials' : [{ 'type' : 'password', 'value' : 'password' } ],
> 'realmRoles': [ 'user', 'offline_access' ], 'clientRoles': {'account': [
> 'manage-account' ] } }"
> http://localhost:8080/admin/realms/servlet-authz/users
I got an 404 error. Would be possible to create an user just using the rest
API?
Thank you.
best regards,
Celso Agra.
8 years, 1 month
multiple ldap servers (failover)
by mj
Hi all,
We've just found keycloak, and are evaluating it. It's looking great so
far! We have two questions.
Question one:
We are running three AD DCs, and would like to configure all three in
keycloak, to get failover & redundancy.
To do this, I have simply configured three comma-seperated DCs in the
ldap URL field. Keycloak accepted this input, but I'm not sure that all
three will be used...
Is the above the way to provide multiple ldap servers to keycloak?
Question two:
How about backing up keycloak? We are running from an extracted tar.gz.
If we keep backups of this keycloak-directory, is that enough? Does
keycloak need to be shutdown at backup time?
Best regards,
MJ
8 years, 1 month
How to set account management as welcome page
by Byte Flinger
It seems one is expected to put in place some sort of welcome page in
keycloak, the one that is under /auth (Which by default has an admin page
link and few others to the keycloak website).
I'd be pretty happy to just setting the account management page as the
default landing welcome page and letting admins go to the admin page
directly if they want to. Is there any way of doing that, making the app
redirect to the account management page if you go to the keycloak app root
address without having a 2 step process where the user first goes to a
welcome page and then clicks a link from there to the account management
page?
8 years, 1 month
