>From my understanding Realms allow Keycloak itself to be Multi Tenant, completely isolated Tenants.
Adding Groups (or Teams/Organisations) would make it easier for Applications leveraging Keycloak to be Multi Tenanted themselves (within a Realm). While some people seem to be using Composite roles with great affect, it is probably not what they were intended for.
The biggest benefit of Groups I see is being able to link groups of users to specific data so that their role only applies to that data and not to everything in the system/application (e.g. A Group Admin role allows a user permission to administrator only data created/owned by users in that group).
>Date: Wed, 14 Oct 2015 11:35:38 -0400
>From: Bill Burke <bburke(a)redhat.com>
>Subject: Re: [keycloak-user] Keycloak to set up Teams and
>Content-Type: text/plain; charset=windows-1252; format=flowed
>That's just not how keycloak was designed.
>Realms contain users, applications/clients, roles, groups etc. Realms
>were meant to be completely isolated from one another.
>On 10/14/2015 10:53 AM, Tim Dudgeon wrote:
>> The use case for me is to use multiple realms for authentication (e.g.
>> one realm for each organisation) that can access a single application
>> using a common set of roles.
>> Its sort of discussed from a different perspective on the apiman list here:
>> On 14/10/2015 15:34, Bill Burke wrote:
>>> No, we are not creatin "global" groups and roles. use case please?.
>>> We're trying to keep realms isolated from one another.
>>> On 10/14/2015 7:29 AM, Tim Dudgeon wrote:
>>>> The scope of this is presumably groups within an individual realm?
>>>> Is there any possibility for "global" groups and roles that can span
>>>> multiple realms?
>>>> On 13/10/2015 17:18, Bill Burke wrote:
>>>>> You just want something like github groups? List your requirements.
I am writing a federation provider that accesses Oracle using MyBatis.
I get the following error when MyBatis is trying to read its xml configuration:
### Cause: java.lang.RuntimeException: XPathFactory#newInstance() failed to create an XPathFactory for the default object model: http://java.sun.com/jaxp/xpath/dom <http://java.sun.com/jaxp/xpath/dom> with the XPathFactoryConfigurationException: javax.xml.xpath.XPathFactoryConfigurationException: No XPathFactory implementation found for the object model: http://java.sun.com/jaxp/xpath/dom <http://java.sun.com/jaxp/xpath/dom>
The federation provider jar is a big fat jar that includes all its dependencies.
is there any way to configure different password policies for different kind of users in one realm?
We´re dealing with the following use case: Two different types of users: one represents human users, who are able to login via a login page. The second represents other applications which do a system to system communication without login via a login page . For human users we want to specify the policy that they have to change their password at least all 90 days. User which were used for other applications (machine to machine communication) were not able to change their password. So we want to define this policy is only for human users.
I can´t find a possibility to distinguish between user types, so our idea was to use two separated realms. I can add user from type A to Realm 1 and user from type B to Realm 2 and with that, I´m able to configure different password policies for both groups. But at the end if both user types have access to the same client, I have to configure the same client with all its roles in both realms identically to add roles of this client to users within this realm.
What would be your recommendation to fulfil the requirement described in the use case?
Thanks for your help,
I am setting up an SSO server and i'm evaluating both CAS and Keycloak. One
of my main requirements is letting users have multiple teams and be a part
of multiple organizations. I'm trying to wrap my head around how to do this
in Keycloak. Something on the lines of what Github does -
https://github.com/blog/674-introducing-organizations As an evaluation
process, I've already created a POC using CAS.
I would really appreciate any pointers on how to do this with Keycloak.
*KUNAL KERKAR *| PRODUCT ENGINEER
Plivo, Inc. 340 Pine St, San Francisco - 94104, USA
Web: www.plivo.com | Twitter: @plivo <http://twitter.com/plivo>, @tsudot
-----BEGIN PGP SIGNED MESSAGE-----
I'm building a secret store application that will sit in front of
Hawkular and will be responsible for replacing API keys into actual
Keycloak authentication data.
Based on the suggestions from Stian, the current code does the following
- - User logs in Hawkular via Keycloak
- - Once the user wants to create a new application key/secret, the user
is redirected to /secret-store/tokens/create , which takes the KC
authentication data and stores the refresh_token into the database,
creating a new key/secret
- - User configures an external application (like a monitoring agent in
a server), adding this key/secret to its configuration
- - The agent makes a call to the Hawkular backend, sending this key/secre
- - An undertow filter gets this key/secret from the request, fetches
the refresh_token from the database, gets a bearer token from Keycloak
based on this refresh_token and sets it to the request's context (ie:
replacing the Authorization header)
- - Keycloak uses this bearer token to perform what it needs to do
- - Request reaches the Hawkular backend
It all works, but the session from the *user* (second step) eventually
expires, causing the refresh_token to be invalid.
So, the question is whether this token is indeed supposed to be
attached to an user session, or if it's a bug. If the behavior I'm
seeing is the correct one, what could be a proper way to store a token
so that it can be replaced at a later time?
1 - http://git.io/vLAtF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
For the most part, I liked how PicketLink IDM relationships were structured. If I recall correctly, it was something like this:
Users could be assigned to 0...n Groups
Groups could have subgroups
Roles could be assigned to 0...n Groups
Roles could be assigned to 0..n Users
So, we could manage security within a hierarchical group structure but also add additional roles on per-user basis when needed. If it could all also optionally be done with composite roles, all the better.
Some relevant documentation:
From: Bill Burke <bburke(a)redhat.com>
Subject: Re: [keycloak-user] Keycloak to set up Teams and
Content-Type: text/plain; charset=windows-1252; format=flowed
You just want something like github groups? List your requirements.
I am starting on Groups next week after 1.6 goes out.
it seems the size of an attribute is limited to 255 characters.
That is quite small considering one might want to store JSON into attributes.
Would simply change the hibernate config file to use TEXT vs VARYING(255) be enough ?
any reason for that artificial limitation ?
B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner)
IMETRIK GLOBAL INC.
T : +1 514 448-6407 x2009
T : +1 866 276-5382 (toll free)
F : +1 514 904-0611
740 Notre Dame St. West, Suite 1575
Montreal, Quebec, Canada H3C 3X6
We've just released Keycloak 1.5.1. This release contains a moderate impact
security fix and we recommend everyone that are currently using 1.5.0 to
upgrade as soon as possible. The security issue does not affect older
I'm having problems generating an access token.
$ curl -X POST
-H "Content-Type: application/x-www-form-urlencoded" -d 'username=user2'
-d 'password=user2' -d 'grant_type=password' -d 'client_id=app1'
From what I can see everything is set up correctly and looks the same
to another realm/client/user that does work:
- realm exists and works
- user exists and can log in to console
- client has been created in realm
But I'm getting "unauthorized_client" error.
What should I look at?