Shared datastore?
by Nicolas Ocquidant
Hi,
According to Infinispan, when passivation is disabled, every update to the
cache should always write to the store.
But I can't manage to get it work with Keycloak. If I disable passivation,
my SQL store (Postgres) stays empty, even if the cache is full.
So, if passivation is needed for Keycloak to write to the DB, it means that
the use of a shared DB is not possible...
But this leads to another issue for me. Enable passivation without a shared
DB seems to imply that either 'fetch-state' or 'purge' should be enabled on
startup, in order for the cache to not contain stale entries.
15:27:44,626 WARN
[org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder] (MSC
service thread 1-6) ISPN000149: Fetch persistent state and purge on startup
are both disabled, cache may contain stale entries on startup
As I need to keep millions of sessions, this will considerably slow down
the startup of my node (when started again after a crash for instance).
So, is shared datastore allowed in Keycloak? If yes, how to enable it?
Otherwise what other options do I have to improve my startup time, if
millions of sessions are in the store?
Thanks
--nick
6 years, 1 month
Realm resolution based on username (email address)
by Pedro Pedro
Hi.
I'm working on a multi tenant project where usernames are actually their email addresses and the domain of the email serves as a tenant identifier.
Now in Keycloak I'll have different realms per tenant, but I want to have a single login page for all tenants and the actual realm that will do the authentication to be somehow resolved by the username (email address).
How do I go about doing that?
Best regards, Pedro.
6 years, 1 month
multitenant login with Keyclaok OpenID connect providers
by Marian Petrik
Dear Keycloak team,
I have a multitenant keycloak setup with dedicated tenant realms. The goal is to have a single login page and pick the target realm automatically based on the domain in the user email. Can this be achieved in keycloak?
My idea is to create an extra LOGIN realm with keycloak OIDC provider for each tenant realm. Client would only use this single LOGIN realm. The issue is how to get rid of the realm selection and implement custom authentication flow. Is this the right way to do this?
Kind regards,
Maran Petrik
6 years, 1 month
filter group claim in token per client
by Ronald Demneri
Hello everyone,
Is there a way to filter the groups a user is a member of per client, based on clientId (which is part of the group name(s) in AD). Let's say that user Ronald is member of group_client1, group_client2 and group_client3, so using a group mapper, the token will contain a claim like group:["group_client1", "group_client2", "group_client3"]. Upon logging in to client1 app, I want to customize the group claim so that it contains only the respective group_client1 value.
Thanks in advance,
Ronald
6 years, 1 month
Update user attributes on login
by Oliver-Rainer Wittmann
Hi,
I have a running keycloak with a custom identity provider - corresponding implementation of AbstractOAuth2IdentityProvider
On registration of a user certain user attributes are stored and mapped into the token.
Now, I want to update these user attributes on following logins.
How to do this?
Unfortunately, I did not find a corresponding hint in the documentation.
Thx in advance for your support.
Best regards, Oliver
6 years, 1 month
User registration
by So Be
I want to enable user registration, it works fine, but after successful
registration (email confirmation, etc), the new user is first redirected to
"account management" and not directly to the client (in my case
JupyterHub).
Is there a solution to avoid users to get the account management page?
Best,
Sofiane.
6 years, 1 month
UMA fine grained management in the client itself
by Pierre Nowak
Hello,
I have difficulties finding the best way of protecting resources using
Authorization Services or UMA.
Here is the following problem:
user1 creates resource/item/id1
user2 creates resource/item/id2
I want to be able in my nodejs confidential client to:
1. list users that have access to a specific item (eg: item/id1)
2. list all resources a user has access to (not only the ones he has,
but also the ones other users shared with him)
3. permit a user to access a resource
4. remove the access of a user to a resource
I saw in photoz UMA example a nice UI directly in keycloak. I would like to
reproduce this tab directly in my client calling APIs to Keycloak. The
reason is the tab in the account page doesnt give enough functionality for
example if I want to join some detail about the resources that would only
be available in my resource server.
I saw the resource set api and a node package (
https://github.com/proficonf/keycloak-authz) that tries to manage the
resources only
but I can't find APIs that directly handle the 4 steps I just mentioned.
Thanks
6 years, 1 month
UMA 2.0 manage shared access with Rest-API
by Jeroschewski Sven Erik (INST-CSS/BSV-OS)
Hello everyone,
is there an example project or tutorial with UMA 2.0 where the user can give his consent regarding shared access using the Rest-API of Keycloak?
We already had a look at the "app-authz-uma-photoz" project from the "keycloak-quickstarts" repository. However, the example integrates a Keycloak website where the user can manage the requests for her/his resources. In our application we would like to have a custom service through which the user can manage his/her resources, can get notifications for new requests, and can define rules for permissions that are set automatically when a new resource is created or a new request is coming in.
For example, we have a use case in which an application creates new resources where the user is the resource owner. This resource should be accessible by another user by default or the uploading application should be able to grant access in the name of the resource owner.
We would be glad for any comments and recommendations on our approach.
Mit freundlichen Grüßen / Best regards
Sven Erik Jeroschewski
Open Source Services - Product Group Customer Success Services (INST-CSS/BSV-OS)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-416 | Mobil +49 152 24308225 | SvenErik.Jeroschewski(a)bosch-si.com<mailto:SvenErik.Jeroschewski@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic
6 years, 1 month
Upgrade Keycloak running in Docker
by So Be
Hi,
I am running keycloak 3 in a docker container. Is it possible to upgrade
to v4 or the to the latest version without pulling new image?
The reason of my question is that I don't want to configure the realms,
clients, etc from scratch.
Do you have an advice for this?
Thank you.
Sofiane.
6 years, 1 month
