first of all, congrats on the beta 1 release!
Here's my question: I have a WAR with a REST API that I'm securing with
Keycloak. Now I'd like to add multitenancy support.
If I understand the concept in keycloak correctly, I would somehow have to
have several realms in the keycloak.json and the web.xml of the war, right?
However there is just one realm-name attribute in the web.xml and the
structure of keycloak.json also looks like it is intended for one realm. Am
I missing something?
Wondering if it would be possible to create a JPA authentication provider?
What I am trying to do is share the hibernate user model between keycloak
authentication provider and my application. I've got as far as extracting
the models into their own project so they can be used as dependency between
my application / authentication provider.
Still wrapping my head around JavaEE architecture so forgive me if this
next sentence doesn't make any sense... The properties authentication
adapter in beta1 examples is a jar which can't really declare it's own data
sources. So wondering how I would implement a provider that defines its
-----BEGIN PGP SIGNED MESSAGE-----
I've just scratched a pair of Docker images for Keycloak, and I would be
interested in getting some feedback. If you already have Docker
installed, you can start an auth server by running this command:
docker run -it -p 8080:8080 jpkroehling/keycloak-server
Then, it should be available as:
The second image is built on top of the server, and contains the
examples. To run it, execute this command:
docker run -it -p 8080:8080 jpkroehling/keycloak-examples
Same procedure for the admin:
And you can login into the Customer Portal sample application using
If you have questions or comments, I'm also available at #keycloak on
freenode as jpkroehling .
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
there is interface IdentityManagerProvider, which allows you to provide
your own way from where to retrieve Picketlink
IdentityManager/PartitionManager. Right now, there is just one
implementation of this interface available RealmIdentityManagerProvider,
which uses PartitionManager initialized with LDAP and configuration of
LDAP is taken from realm configuration. I was thinking about adding
another implementation, which will be able to use PartitionManager from
So if you want, you can create your own implementation of this interface
and plug it in . See our examples for more details how to do it:
There is no example for retrieving custom configuration of picketlink,
but there are other examples, which can point you to how to create
On 29.5.2014 15:41, Kamal Jagadevan wrote:
> Hello Marek,
> Thanks for the information, I was wondering if Keycloak can integrate
> with picketlink that our application already uses.
> Looks like we might have implement a new authentication provider that
> uses our existing picketlink as per your documentation.
> Is that right? Please confirm.
> *From:* Marek Posolda <mposolda(a)redhat.com>
> *To:* Kamal Jagadevan <j.kamal(a)ymail.com>;
> "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
> *Sent:* Wednesday, May 28, 2014 4:49 PM
> *Subject:* Re: [keycloak-user] Integration of Keycloak with Picketlink
> currently Picketlink IDM is used for LDAP integration and it's used
> just in Authentication as you pointed. You first need to configure
> your LDAP server and then you can configure "picketlink"
> authenticatonProvider, which will mean that your LDAP users will be
> able to authenticate through picketlink into your realm.
> More info is in latest documentation, but you will need to build it
> from sources https://github.com/keycloak/keycloak/tree/master/docbook
> . It should be available in documentation on official website
> http://www.keycloak.org <http://www.keycloak.org/> in few days.
> On 28.5.2014 18:07, Kamal Jagadevan wrote:
>> From the admin console, I noticed that there is a support to use
>> picketlink with Keycloak.
>> How is that configured as "Authentication options providers options"
>> are not displayed in the "Authentication" tab of settings.
>> Is this intentional or am I missing something?
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org <mailto:firstname.lastname@example.org>
I'm trying to replace my current authentication system with Keycloak, but I
have one problem. I already have a database of users, populated with
millions of records, and I wanted to make it work with Keycloak.
What would be the best approach on this scenario? Should I migrate
everything to the Keycloak tables, or try to make Keycloak understand my
Is there any recommendation on this matter? And if there is, some
explanation or documentation?
I recently added building Keycloak as a Jenkins job that runs on a Windows build machine. I noticed that each time a build is done, we get four Firewall popups requesting to grant access to something related to mongo embedded plugin. I did not see this on my MacBook Pro local build so its a Windows only issue. The problem is it creates a new application name each time it is run so simply adding the access restriction to Windows firewall once doesn't do the trick.
I tracked it down to pom files that reference the embedmongo-maven-plugin needing to add a <bindIp>127.0.0.1</bindIp> to the plugin configuration.
There are four pom files that need to be modified:
There is a very simple pattern. In each pom there is a properties section for keycloak.model.mongo.*
I added a property for bindIp as follows:
Then for surefire I added a system property variable as follows:
And lastly for the embedmongo-maven-plugin modify the configration as follows:
For the audit file replace model with audit.
I'm able to build on Windows now without any popups.
This will be greatly appreciated if it can be done!
Principal Design Engineer
Tom Sawyer Software
1997 El Dorado Avenue
Berkeley, CA 94707
E-mail: pmadden@ tomsawyer.com
From the admin console, I noticed that there is a support to use picketlink with Keycloak.
How is that configured as "Authentication options providers options" are not displayed in the "Authentication" tab of settings.
Is this intentional or am I missing something?
I am not sure if this is the appropriate way to post a Keycloak question. If it is not, I apologize.
I have sent up a Wildfly JSP application (confidential) and a Wildfly REST API application (bearer-only) to use Keycloak Alpha 3. The Keycloak, JSP, and REST API applications are each running in a different Wildfly server on the same machine.
Everything seems to work except the sign-off. It appears to work and there is no error, but in actuality the sign-off doesn't work. When the logout URL redirects back to the homepage (not secure) and I click the link tothe get Countries JSP page (secured) again, it still shows me the country list without redirecting me to the Keycloak login page.
I set @NoCahe on the JAX-RS endpoints in the API application and in the JSP app I put:<head>
String logoutUri = KeycloakUriBuilder.fromUri("http://localhost:6080/auth/rest/realms/MyRealm/tokens/logout")
to create the log-off URL.
Also, if I go into the Keycloak Admin as "admin" and force log-off the user, it doesn't work either.
Is there some setting I am missing in the JSP. I turned off all the caching I know about in Chrome and Wildfly. I am not sure this is a Keycloak problem or my ignorance of Wildfly and JSP.
Any help is greatly appreciated.
A. Kevin Bailey