Rest api - missing group info and non-individual attributes in the response
by Dirk Franssen
Hi all,
I have defined several groups in Keycloak 3.0.0.Final with some users and
via the java library I make rest calls to retrieve the list of users via
realmResource.users().search(), but the response does not contain the
groups info (UserRepresentation.getGroups() is null)?
So I added a client mapper of type Group Membership with claim name
myGroups (add to ID token, access token and userinfo). After a login into
the application I do have an otherClaims of myGroups with the groupnames
the user belongs to. But the rest call response does not contain the info (
UserRepresentation.getAttributes() is null)
Also the group attributes (with a new mapper) do not appear in the response
of the rest call. It seems that only individual user attributes are
returned in the rest call response? Is this by design?
I know there is the possibility to extend the rest api via a custom
provider, but this seem cumbersome to just know to which group the user
belongs to...
Currently I query for each group the members separately via
realmResource.groups().group(groupid).members(). This is kind of ok as
there are currently only 4 groups.
Kind regards,
Dirk Franssen
7 years, 6 months
Can we forbib mail change?
by Marc Tempelmeier
Hi,
Subject says it all, but can we forbid that a user can change it´s mail?
Best regards
Marc
7 years, 6 months
decouple Keycloak from Active Directory
by Adrian Matei
Hi guys,
We've made the initial mistake to store our users in Active Directory.
After the number of Keycloak-AD issues increased significantly, we are
considering using just Keycloak DB to store the users.
Is there a way to migrate the users from AD to Keycloak, without forcing
them to update their passwords? If I remove the User-Federation AD Provider
all users are gone...
Thanks,
Adrian
7 years, 6 months
Tomcat fails to start if client in keycloak configured as bearer only
by Yevgeni Kovelman
Tomcat 7.0.77
Keycloak libs in the lib folder
I have a client configured as
Opened-connect
Confidential
All good, as soon as I switch to Bearer only, restart Tomcat
There is a failure
Httpresponseexception: unexpected response from server 400/bad request.
Any ideas?
Thanks
Sent from my iPhone
7 years, 6 months
Custom logout using Java servlet adaptor
by Prapti Mittal
Dear Keycloak Community,
Do we have any mechanism for post logout activity on Client application
using java servlet adaptor of Keycloak IDP?
https://stackoverflow.com/q/44407928/2604398
Two possible solutions that I can think of are below, but neither is very
maintainable.
1. We can modify the servlet filter to notify the logout event to the event
listeners and then add the event listeners for the custom code.
2. Define another custom filter for the logout callback path and then use
filter chain to call the Keycloak java servlet filter.
Please suggest the right way to go about.
Regards,
Prapti Mittal
7 years, 6 months
PHP library
by Cortes, Juan
Hello all,
Does anybody know of a php library that will work with keycloak's openId
connect?
Am currently trying OpenIDConnectClient.php and I keep on getting a "Code
not valid" exception.
Thank you
7 years, 6 months
Client Mapper mutiple value
by Denny Israel
Hi,
i specified a user attribute mapper for a client and set Multivalued to
true. The values i want to map are attributes specified in groups. The idea
is to collect the attributes with the same name in all groups and make them
available as list in the tokens.
When i use the mapper i can see a value of one group but not the values of
other groups. When the mapper does not collect the attributes from all
groups what is the purpose of the multivalued flag? I cannot specify more
than one attribute with the same name in the user or in one group so i
never see mutiple values.
Thanks
Best regards
Denny
7 years, 6 months
KeyCloak behind reverse proxy - hostname incorrect
by jim-keycloak@spudsoft.co.uk
Hi,
We are trying to use KeyCloak behind a reverse proxy.
There are lots of discussions about doing this online, but they are all
concerned about getting the protocol correct - which we are not having a
problem with.
Our problem is that the reverse proxy has a completely different name
from the KeyCloak host and this seems to be confusing KeyCloak.
Our reverse proxy ("external") is on https and our KeyCloak server
("internal") is on http.
There are two examples that we have seen of this:
1. In the UI templates the url.loginAction variable is https://internal
2. In JWTs generated by KeyCloak the iss is https://internal
This seems to be resulting in all tokens being refused by
introspection.
Our reverse proxy is adding both X-Forwarded-Proto and
X-Forwarded-Server headers (we can change these easily).
It would be acceptable for us if KeyCloak were only accessible via the
reverse proxy.
We are using KeyCloak 3.0.0.FINAL.
How can we get this working?
Thanks
Jim
7 years, 6 months
Keycloak support for Infinispan 9.x
by Vikrant Singh
Hi,
Is there any plan to upgrade keycloak's Infinispan to latest 9.x version,
if yes what is the timeline we are looking at? Current keycloak still uses
old 8.1.x version of Infinispan.
There are few new features of Infinispan which I would like to use, Is
there any risk if I change Infinispan version in current Keycloak to 9.x?
Thanks,
Vikrant
7 years, 6 months
