December 2018 - keycloak-user - Jboss List Archives

by Nikola Malenic

I configured mutual-ssl authentication on Keycloak. That means that user coming to Keycloak does SSL handshake allowing Keycloak to extract data from client certificate and map that data to an existing user at Keycloak, and based on that authenticate the user. Now, I need to configure reverse proxy in front of Keycloak. I'm using Apache's httpd. The problem is that user's browser now does SSL handshake with the reverse proxy server instead of Keycloak and sends plain http request, disabling Keycloak to map and authenticate the user. Is there a proposed method to achieve this? Can I configure some reverse proxy (maybe not httpd) to proxy requests on the transport layer? Or should I somehow configure Keycloak for this? Maybe configure the proxy to be KC's client and do the authentication somehow? Many thanks, Nikola

6 years

2
1
0 / 0

Keycloak revoke endpoint

by Ravi Shankar Nori

Hi, I am working on integrating oVirt Engine with Keycloak as an external authentication provider. In oVirt we have Java/Ruby/Python SDKs that need to obtain a token directly from Keycloak and then revoke the token at the end of the session. I see Keycloak has a logout endpoint that takes the refresh token to perform logout. Is there another endpoint that can take the access token to perform the logout like a "revoke" endpoint? Thanks, Ravi

6 years

1
0
0 / 0

Only permit social login for existing, linked accounts

by Geoffrey Cleaves

How can I allow identity providers like Google to only be used to login with an existing account? I'm sure this has been asked (I see the questions <http://lists.jboss.org/pipermail/keycloak-dev/2015-March/004031.html>) and answered (this I can't find) and must have something to do with custom authentication flows. I've made a copy of the First Broker Login flow and messed around with priorities and requirements, but I can't get it right. Thanks, Geoff

6 years

1
0
0 / 0

Keycloak email behind reverse proxy

by Nikola Malenic

Hello, I want to send an email to the user to update his password after he gets created using Keycloak's API. One note: I am doing user creation in different application than Keycloak and then call Keycloak in Admin client's name. Here is how I do this currently: userRessource.get(id).executeActionsEmail(Arrays.asList("UPDATE_PASSWORD")); The problem is that I have a reverse proxy in front of KeyCloak, so users won't be able to access Keycloak at all. And email that is sent has url pointing to Keycloak's address. Is there a way to configure Keycloak to somehow send email with url pointing to the reverse proxy? Thanks in advance, Nikola

6 years

1
0
0 / 0

start up of keycloak nodes roughly increases two folds for every 100 tenants.

by Madhu

Hi I am using keycloak 4.5. i created about 600+ tenants with 50 users each for a performance testing. Upon creating tenants the start up time of keycloak increases drastically. This seems to be due to pretty much all entities at start up.. I tried disabling realm cache, user cache and did not help.. can you suggest how to bring down the start up time? Is it absolutely necessary for keycloak to load every thing at start up?? This is an extract from hibernate stat i got on a c4 xlarge ec2 instance ( 4 core 8 gig), keycloak configured with xms=xmx=5g. 018-11-24 10:33:19,998 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool – 61) Envers integration enabled? : true 2018-11-24 10:33:20,499 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool – 61) HV000001: Hibernate Validator 5.3.6.Final 2018-11-24 10:33:21,296 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool – 61) HHH000397: Using ASTQueryTranslatorFactory ^C [centos@ip-172-31-45-199 log]$ 11:10:45,750 INFO [org.hibernate.engi ne.internal.StatisticalLoggingSessionEventListener] (ServerService Th read Pool – 61) Session Metrics { 669457663 nanoseconds spent acquiring 92974 JDBC connections; 148185664 nanoseconds spent releasing 92974 JDBC connections; 1852958902 nanoseconds spent preparing 92974 JDBC statements; 35866600579 nanoseconds spent executing 92974 JDBC statements; 0 nanoseconds spent executing 0 JDBC batches; 0 nanoseconds spent performing 0 L2C puts; 0 nanoseconds spent performing 0 L2C hits; 0 nanoseconds spent performing 0 L2C misses; 543461113 nanoseconds spent executing 2 flushes (flushing a total of 227216 entities and 158902 collections); 2197548626817 nanoseconds spent executing 14139 partial-flushes ( flushing a total of* 1042012050 entities and 1042012050 collections*) } 11:10:45,780 INFO [org.hibernate.engine.internal.StatisticalLoggingS essionEventListener] (ServerService Thread Pool – 61) Session Metric s { 7689387 nanoseconds spent acquiring 1 JDBC connections; 34263 nanoseconds spent releasing 1 JDBC connections; 8025969 nanoseconds spent preparing 1 JDBC statements; 909784 nanoseconds spent executing 1 JDBC statements; 0 nanoseconds spent executing 0 JDBC batches; 0 nanoseconds spent performing 0 L2C puts; 0 nanoseconds spent performing 0 L2C hits; 0 nanoseconds spent performing 0 L2C misses; 3525215 nanoseconds spent executing 3 flushes (flushing a total o f 3 entities and 0 collections); 0 nanoseconds spent executing 0 partial-flushes (flushing a total of 0 entities and 0 collections)} 11:10:45,795 INFO [org.hibernate.engine.internal.StatisticalLoggingS essionEventListener] (ServerService Thread Pool – 61) Session Metric s { 437680 nanoseconds spent acquiring 1 JDBC connections; 10539 nanoseconds spent releasing 1 JDBC connections; 465001 nanoseconds spent preparing 1 JDBC statements; 719260 nanoseconds spent executing 1 JDBC statements; 0 nanoseconds spent executing 0 JDBC batches; 0 nanoseconds spent performing 0 L2C puts; 0 nanoseconds spent performing 0 L2C hits; 0 nanoseconds spent performing 0 L2C misses; 0 nanoseconds spent executing 0 flushes (flushing a total of 0 en tities and 0 collections); 17455 nanoseconds spent executing 1 partial-flushes (flushing a total of 0 entities and 0 collections) All My 600 +realms are pretty much same i.e. each realm has a client scope, a java script mapper (to get all the realm roles into resouce role),couple of attribute mappers, 2 users groups ( 1 for admins) and 1 for other users. i have about 50 users in each realm and all the user belongs to one of the 2 user groups ( no custom roles though).. Also, I bench marked the start up time after creating 50 or 100 realms and the start up time increases as the number of realms increases . I am able to manage as i have disabled the admin console and use rest endpoints.. but still the start up time and loading pretty much every thing seems little wiered. Please correct my understanding if i am wrong here.. | No of Realms | Start up time in mins | | 0 realms | 0.22 mins | | 100 realms | 2.34 mins | | 200 realms | 2.53 mins | | 300 realms | 5.34 mins | | 400 realms | 9.42 mins | | 500 realms | 14.6 mins | | 650 realms | 37 mins | Like wise the time taken to create tenants too gradually increases ( i use import to create realms) from about 3 seconds for first few realms to about 30 sec for 600th realm.. Any advise /help will be appreciated.

6 years

2
5
0 / 0

deciding on using keycloak or not

by subscription sites

Hi there, Just a general question: I'm currently deciding on which opensource SSO-solution I should use in a project. >From what I can gather, Keycloak has all the features I need. There is however one caveat here: the recent acquisition by IBM. I'm wondering if there could be a potential consequence for keycloak and if so, what could it be? Could the project be completely cancelled? Could the product disappear altogether or fall without any support? I know that there probably isn't any clear information about this, even at IBM/Redhat internally at the moment, but I don't want to choose a product, integrate multiple applications with it and then get stuck in a year or so having to do it all over again. Any ideas/input? Kind regards, P.

6 years

1
0
0 / 0

Custom message in authenticator script

by Vagelis Savvas

Hello, I have created a theme and extended the base login form with an extra input field. I've also created a Script Authenticator that checks the value of the extra field and permits or not the authentication. My authenticator script runs after the builtin 'Username Password form' (Browser flow). Now I would like to do two things when authentication fails because of my script: 1. Use a custom i18n error message instead of showing one of the messages of the builtin AuthenticationFlowError. Is there a way to do so? 2. Stay on the login page and show the error message instead of being sent to a 'We're sorry...' page with a link back to the login form. For instance the builtin 'Username Password form' stays on the login form with an error message when authentication fails which is nice and clean. Currently I fail the authentication with 'context.clearUser(); context.failure(AuthenticationFlowError.INVALID_CREDENTIALS);' but I've tried various methods from 'context' without achieving either 1 or 2 of my requirements. Cheers, Vagelis

6 years

2
2
0 / 0

Expire active token when user session if logged out

by Himalaya Gupta

Hi, My Client is ReactJS Application using keycloak javascript adaptor I am trying the below scenario: 1. Login to client application via keyclock server and retrieve the access-token in the client 2. Login to the Key-Clock Admin console and logout the active session for the user for the given client. 3. On the client application i observe the following: The token is still valid as it has not expired.When the token expires, the refresh token request is stuck in refreshing the token (probably stuck as the user is forcefully logged-out via AdminConsole) Can you please let me know if there is a way to detect the Inactive session and force the user to login even if the token is still valid via the JavaScript API? When trying to refresh the token and if the user session is logged out, should the keycloak server just return an error instead of pending response. Could this be a bug? Any help would be appreciated in this regard. Thank you -- Best regards, Himalaya Gupta

6 years

1
0
0 / 0

Keycloak Multi Tenancy implementation with login through javascript (a webpage)

by Vikram

Hello all, I want to assign different realms to different clients (organisations) in keycloak. The login to keycloak is achieved through a webpage which acquires a valid token from keycloak which is then passed with the rest requests that I make from my website to a springboot server that uses a keycloak adapter for authentication. Now, the javascript adapter needs a keycloak configuration file that has details about the realm that I want to log in to. But, the problem is that I do not know which realm the user belongs to because he / she can be from any organisation ie. the login page for all organisations is the same. What is the best way to achieve this ? I assume that this kind of approach is quite common these days but cannot find a solution.. Regards, Vikram

6 years

2
1
0 / 0

Add user with a pre existing client role and group through Java

by Vikram

Hi, I am trying to add a user with a pre existing client role and group through java code in my springboot server. I want to achieve this through a logged in user that can only see / manage the users of his/her group and also the new created user should be assigned a group and a client role on creation. The group should be the same as the group of the user that is logged in and the client role could be hardcoded. Thanks, Vikram

6 years

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user December 2018