Accumulating time skew - JS@2.2.0.Final
by Andy Yar
Hello,
I've recently faced strange issues having an authed user on JS frontend
calling a backend service with bearer token. After a certain number of
requests the backend started to return 401. This lasted only for a short
period of time and then went back to 200, then 401 again and again.
This seemed to me like there was a delta between server time/client time.
However, both systems are synced.
So I've tried to log the JS Keycloak timeSkew attribute. After a few
requests it simply increased itself. After ~40 requests its values rose
from 0, through 2, 5, 8, 15 up to 35 seconds! It has never decreased.
It seems wrong to me, since documentation mentions it should be a simple
delta between client and server time.
Am I doing something really wrong here?
Thanks
8 years, 3 months
Reg impersonation
by Kamal Jagadevan
Hello Keycloak Team, Is there a way to use impersonation feature to view/log into applications (protected by Keycloak) instead of viewing impersonated user’s User Account Management page?If not, is there a plan in road map to support them in future?
BestKamal
8 years, 3 months
How to add new custom form for additional user management
by Federico Navarro Polo - Info.nl
Hello,
In my Keycloak configuration, there are a number of custom attributes defined for each user. I would like to offer the possibility to manage these attributes in a form similar to the “account profile” form, not using and modifying the existing account.ftl itself, but creating a new template for that (eg: secondary_account.ftl).
What is the recommended approach to do this?
I would assume I need to create a new SPI, but I am not sure what would be the next steps to configure it and make it work. I think what I need is something in the same direction as the domain-extension example, but it’s not exactly the same, as I want to 1) create a new form and 2) base that form data in the existing domain of the user.
Could someone give some pointers?
Thanks in advance!
8 years, 3 months
Disabling password expiry for one user?
by Sarp Kaya
Hello,
It just seems like it’s only possible to enable password expiry policy for all users or no users. Is it possible to have an exceptional case where one user has no password expiry and other users do have password expiry?
Thanks,
Sarp
8 years, 3 months
remote_user header from IIS proxy not seen by keycloak
by Glenn Campbell
I have a requirement to use Keycloak behind IIS where some sort of SSO
product is already integrated with IIS. Whatever this product is sets the
REMOTE_USER header. It is easy enough to write a custom authenticator for
Keycloak to use the REMOTE_USER header. However, Keycloak's Wildfly server
(or its embedded Undertow) appears to be stripping out the header.
Is there any way to configure Keycloak or its Wildfly to let the
REMOTE_USER header pass through? Or are there any clever workarounds?
Thanks in advance.
Glenn
8 years, 3 months
Lock user within indefinite period of time
by Tin
Hi,
I would like to know if there is a configuration in keycloak 1.3 where a temporarily disabled user will NOT be unlocked automatically. It will depend on the admin whether the user will be unlocked or not.
Thanks!
8 years, 3 months
Fwd: Unable to configure client certificate
by abhishek raghav
Hi Team,
I am facing an issue while I am trying to set Client Authenticator as
'Signed JWT'. I am using Keycloak-admin.jar to do it.
Here I am trying to automate the complete client creation work through a
java program.
ClientAttributeCertificateResource cacr =clientResource.getCertficateR
esource("jwt.credentials");
byte[] mycert=cacr.generateAndGetKeystore(keyStoreConfig);
Here keyStoreConfig is the config object which contains all the metadata
required to generate the certificate e.g keystore password, format, alias
name etc.
I could successfully got the certificate generated and got it as a byte
array and in the backend it is not configuring for the client.
I am still seeing this:
Even though value for Client Authenticator is set as Signed Jwt and same is
getting updated in keycloak.json (under installation) as well.
Code to set the authenticator is :
client.setClientAuthenticatorType(client-jwt);
Please
*- Best Regards*
Abhishek Raghav
8 years, 3 months
Migrate provider config from Keycloak 2.1.0.Final to 2.2.0.Final
by Thomas Darimont
Hello,
I'm current trying to migrate our Keycloak configuration from 2.1.0.Final
to 2.2.0.Final.
Since we have some custom extensions deployed as jboss-modules in Keycloak
I need to convert the configuration from "keycloak-server.json" to the
appropriate form in standalone-ha.xml.
I tried to do that via jboss-cli but I seem to miss something... I
currently don't see a way to
do that via the cli and since I currently don't want to fallback to XSLT I
wonder:
Does anyone have a hint for converting the providers configuration from:
keycloak-server.json:
{
"providers" : [ "classpath:${jboss.home.dir}/providers/*"
,
"module:com.acme.idm.keycloak.idm-keycloak-ext-login-action"
, "module:com.acme.idm.keycloak.jms-forwarding-event-listener" ]
...
to:
standalone-ha.xml:
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context>
<providers>
<provider>classpath:${jboss.home.dir}/providers/*</provider>
<!-- insert the module references here -->
</providers>
...
???
Thanks in advance!
Cheers,
Thomas
8 years, 3 months
Error On Https
by Aman Jaiswal
Hi team
when I am trying to hit the url for keycoak with *Https* is does not load
but working file with Http
--
Thanks,
Aman Jaiswal
8 years, 3 months
