adding realm level configuration parameter
by Ori Doolman
Hi,
I want to perform some customization to Keycloak using existing SPIs.
For that, I need to store a configuration parameter (may be different value per realm).
What is the way to achieve that? Is there an SPI to extend the realm properties?
The only solution I can think of now is setting a custom attribute in the users group of the realm.
Thanks,
Ori Doolman
Lead Software Architect
Amdocs Optima
+972 9 778 6914 (office)
+972 50 9111442 (mobile)
[cid:image001.png@01D2C8DE.BFF33E10]
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
6 years, 11 months
Multiple User Storage Providers
by Ryan Slominski
Hi Keycloak users,
I'm looking for tips on how to migrate from mod_auth_kerb to Keycloak. I have two Kerberos realms, and one is a subset of the other: DOMAIN.ORG and INTERNAL.DOMAIN.ORG. The mod_auth_kerb handles this scenario beautifully and I simply have a service principal for each Kerberos realm in the keytab and Apache httpd will login the user if they are in either of the Kerberos realms. For Keycloak adding two Kerberos user storage providers, one at priority 1, and another at priority 2 doesn't seem to work. Only the first one used. What are other people doing to handle this? Creating a custom User Storage Provider? Client side multitenancy? Perhaps if I use two LDAP servers instead of two KDCs it could work (I assume from the priority field of user storage provider API that something must be allowed to be paired together)?
Thanks,
Ryan
6 years, 11 months
keycloak behind nginx
by karan shah
Posting this again as I have not been successful. I have a sample app which correctly secures the rest api locally. Now when I put this in production behind a nginx proxy it does not work. No errors. It allows all request.
Front end serer with ssl is https://frontend.com<https://frontend.com/<https://outlook.live.com/mail/>>
Back end server with ssl is https://backend.com<https://backend.com/>
Keycloak proxy forward is true
Front end server(node server on 9000) <-> NGINX <-> Keycloak (running on 8180)
nginx file sample
upstream keycloak_server {
server localhost:8180;
}
upstream node_server {
server localhost:9000;
}
location /auth/ {
proxy_pass http://keycloak_server<http://keycloak_server/>;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
proxy_pass http://node_server<http://node_server/>;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
Front end server calls a backend api using Angular. REST api calls looks likehttps://backend.com/callTest
Backend server(running on tomcat) <-> NGINX <-> Spring Boot(with keycloak)
nginx sample
location / {
proxy_pass http://127.0.0.1:8080/dt-1.0/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
in angular keycloak.json looks like
{
"realm": "demo",
"auth-server-url": "https://frontend.com/auth",
"ssl-required": "none",
"resource": "tutorial-frontend",
"public-client": true
}
in spring boot keycloak properties look like
keycloak.auth-server-url=https://frontend.com/auth
keycloak.realm=demo
keycloak.resource=1040nra-client
keycloak.public-client=true
keycloak.bearer-only = true
keycloak.cors = true
keycloak.security-constraints[0].authRoles[0]=user
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/*
Please let me know how to correct this. I would really appreciate it.
6 years, 11 months
FIDO UAF
by Stian Thorgersen
Anyone here interested in FIDO UAF? I'd be interested to have a
conversation about it.
6 years, 11 months
Keycloak development setup
by moritz.becker@gmx.at
Hi,
I need to adapt Keycloak and tried to set up a development project in
IntelliJ but I couldn't figure out how to do it so that hot code replacement
and other IDE integrations work.
I used to hack on Keycloak but back then it was possible to create a simple
WAR overlay and deploy that to the local server - easy. But with the newest
version, only the Keycloak Wildfly subsystem distribution seems to be
supported and I wonder how a development setup would look like given this
restriction? Could not find any pointers on this, unfortunately.
Thanks!
Moritz
6 years, 11 months
"Default" Client Template
by Jonas Schönenberger
Hi everyone
Is it possible to define a default client template that every new dynamic
client (OpenID Connect Dynamic Client Registration) receives during
registration?
Thank you for your help and Best Regards
Jonas
6 years, 11 months
Integrating WildFly JavaEE application with Keyclock
by valsaraj pv
Hi,
Currently our JavaEE application with servlets, EJB, remote EJB & HornetQ
messaging using JAAS login module with LDAP back end. I am trying to
integrate Keyclock with our WildFly 10.1 server for using identity provider
& SSO.
*Source LDAP/DB Sync*
Found that Keycloak supports LDAP sync & we can sync existing user data
periofically to Keyclock. Is it possiblr to sync from multiple user data
stores as we have to integrate multiple JavaEE web apps?
*JAAS custom login module for Keyclock*
Currently we are using JAAS custom login module for
authentication/authorization. Is it possible to user the same or similar
login module with Keyclock? We need to avoid redirection to Keyclock login
page.
If redirection is must, is there any sample to migrate from JAAS to
Keyclock realm?
Thanks!
--
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....
Valsaraj Viswanathan
6 years, 11 months
