Just wanted a clarification regarding generation of offline tokens.
1. Can we use the *grant_type = authorization_code* or* grant_type =
refresh_token* to get the offline tokens? Or is it only available for
grant_type = password & grant_type = client_credentials?
2. Is there a way to give offline token to a particular user without using
direct access grants?
I am trying to figure out how/if KeyCloak can be used for a project. The
background is that we need three pieces of information to login a user
location, username, password. The location is used to allow us to figure
out where that user record can be found in distributed environment. We
have no single central user database but instead a number of different user
databases installed in logically/physically different locations. We do not
want anything other than login from KeyClaok and we need to be able to
support SAML and eventually OAuth2.
Based on reading the documentation it seems i would need to do the
1. Custom Authentication and AuthenticationFactory to handle validation of
the user credentials
2. Custom federation provider and factory to handle construction of the
I then created the custom authentication and factory. Packaged them and
placed them in the standalone. I then saw the new option in the
Authentication Admin menu. I created a new Flow by copying the Browser
flow and removed the default items and just required the new provider.
Saved, restarted. Then using a SAML client i tried login but i dont get
the new login form (which i reference in the code for the authenticator).
What i get is still the default login page with the two normal fields.
When i submit that form it never attempts to execute the code in my custom
So my questions are:
1. Am i correct that i need a custom authentication and federation
providers? Is there additional items i need here?
2. How do i get the SAML login page to use my custom login page and how do
i route to the custom authentication code? and ideally how do i leave the
admin console login page alone since that will use local users not these
federated remote users.
Please let me know if i can provide more info for clarification.
I have a question about how to use OpenId Connect and KeyCloak and hope that someone here will be able to help.
I'm part of a project where federated login will be used. We are planning to use Keycloak as Identity Broker and multiple Identity Providers will be set up, some Identity Providers will be Keycloak instances, others not. For now the assumption is that all the Identity Providers will support OpenId Connect.
One of the use cases we need to support is authentication of applications for communication to webservices (machine to machine communication), but it is causing us some trouble.
The webservices will be created as clients in the Keycloak Identity Broker. But how do we authenticate the applications?
The applications will not be browser based, so using the webinterface for authentication is not possible. There exists some guides (including this Keycloak blog post: http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html) that describes how this can be done when using Keycloak directly as Identity Provider, but I haven't been able to find any solutions to how to make it work when there is an Identity Broker involved.
Reading the Keycloak documentation I couldn't help notice the big fat warning in the chapter about Direct Access Grant (http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-acce...) which discourages bypassing the webinterface. This leads me to think that this kind of federated authentication without a browser is not supported by OpenId Connect, or am I missing something?
I've had a look at offline tokens, but to generate them, manual browser based authentication is still needed, at least as far as I can see...
I hope someone on the list has an idea for a smart workaround :)
Is it possible to disable the Edit Account page?
Currently (keycloak 1.4.0) users who click on the link in the password
get redirected to the Edit Account page.
I would like them to get redirected to my application.
How should I approach this?
I am trying version is 1.6.0 keycloak 's brokering. I have imported two realms :saml-broker-realm.json and saml-broker-authentication-realm.json by following the readme in the broker example. It works fine ( except failed logout somehow)
Now I decide to give more try and here is my steps:
1) Create a realm named testsaml and the saml descriptor can be found here: http://localhost:8080/auth/realms/testsaml/protocol/saml/descriptor2) In the saml-broker-authentication-realm, create a new ID provider named saml by importing the URL above: http://localhost:8080/auth/realms/testsaml/protocol/saml/descriptor 3) Download the SP metadata named "keycloak.xml" from the export tab page. 4) Go to the testsaml reaml, and create a client by importing the downloaded "keycloak.xml" 5) open the page : http://localhost:8080/saml-broker-authentication and can see the IDprovider named saml on the left. 6) login with the ID provider but finally get the errors as below:
Context Path:/authServlet Path:
Path Info:/realms/saml-broker-authentication-realm/broker/saml/endpointQuery String:nullStack Trace
java.lang.RuntimeException: request path: /auth/realms/saml-broker-authentication-realm/broker/saml/endpoint
So what happened for my configuration? I missed something?
we got requirement to have long timeout e.g. 2 - 3 days on links for e-mail verification during registration for better UX.
It’s possible to do it via setting "Login action timeout” to 3 days. This setting also change the timeout of link for forgot password AFAIK.
I’m thinking about security implications.
Can somebody steal such link in e-mail somehow and then steal identity because of doing “forgot password” on target account? For example by listening SMTP protocol communication?
jboss.org Development Team
I am using keycloak1.5.0 to secure a few of my applications and i want to
request the keycloak's Login page from an ajax call. It is currently giving
me a CORS error. So i wanted to know how do i enable CORS support or add my
URL to allowed set??