I want to enable CORS for Direct Grant Access, how to do it? I am getting
(index):1 XMLHttpRequest cannot load
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://pn.localhost:81' is therefore not allowed access. The
response had HTTP status code 400.
I've 2 applications installed with Picketlink SPFilter to authenticate with
keycloak 1.1.0 beta 2.
When i perform global logout, first application was logged out successfully
because SP/keycloak session and application http session are removed but
the problem is second
application SP/keycloak session is removed but application http session is
still remained. I've set admin url for these 2 applications in keycloak
admin console. Kindly share your ideas.
I have been testing Keycloak (1.1.0 Final) federation ability against some of our existing user databases. I came across the unique email address constraint in the UserEntity table. What is the reasoning behind email addresses being unique?
Our particular use case is that a user can create multiple usernames and have the same email address across many of them if they choose to.
I have Keycloak Proxy working well. However, it's installed on machines that are not Internet-accessible and I need to put an Apache Reverse Proxy in front of it. Installing the Keycloak Proxy on the externally-facing Apache servers is not an option for me. My issue is, Keycloak Proxy sends a redirect-URI to the auth server that is based on the bind-address value in the config. I need the redirect URI sent to the Auth server to be the Apache reverse proxy.
Is there a clever way to do this, or is a feature addition needed to support this? If the latter, then I suggest adding an optional property "redirect_base_address" to the config.
I have a question about running my applications in a different server than the keycloak one.
I have one third party oauth client web application and one pure restful web service application.
I have created a realm, configured the two applications as explained in the videos tutorials.
The two applications behaviour are similar to the database service and the third-party oauth client that are shipped in the example of keycloak distribution.
Every thing work fine when I deploy all on the same wildfly server that is hosting the keycloak server;
I would like to deploy the restful web application and the oauth client in a another JBOSS EAP 6 server.
For the oauth client, as explained in the video tutorial, I will have to define the complete url while defining the redirect url in the registration step.
For the restful services web application, it's a bearer only access type application. It will only accept token authentification. There is no redirect url.
How do I configure the restful services web application in this situation?
Is there something to configure so that the keycloak adapter could be able to valide the token when the oauth client calls a service from the restful web application?
Thank you in advance.
We're proud to announce the release of Keycloak 1.2.0.Beta1. This is a great release, especially if you're after enterprise capabilities.
The major new features in this release includes:
* Protocol mapping - With protocol mapping it's easy to define what claims are added to the token an application receives.
* Kerberos - It's now possible to authenticate with a Keycloak realm using Kerberos tickets through SPNEGO.
* Identity Brokering - As well as Kerberos you can also authenticate with Keycloak with an external SAML 2.0 or OpenID Connect Identity Provider.
* OpenID Connect improvements - We've made several improvements to comply with the OpenID Connect specification and we've also introduced new features such as Discovery, Session Management and UserInfo endpoint.
* Internationalization support for login and account management Thanks to Michael Gerber the login and account management pages now have internationalization support. We have built in support for English, German and Brazilian Portuguese. We've also made it easy to add your own and if you'd like to contribute a translation let us know.
* Deploy providers as modules - It's now possible to deploy custom providers as modules. This gives you full control of the classloader for your provider.
* Deploy themes as modules - We've made it much simpler to package themes and they can also be deployed as a module. This makes it simpler to distribute themes as well as using custom themes in a cluster.
* Login with Stackoverflow and LinkedIn - Thanks to Vlastimil Eliáš we now have built-in support to login with Stackoverflow and LinkedIn.
* SysLog event listener - Thanks to Giriraj Sharma we now have a syslog event listener.
To get the release go to www.keycloak.org. For the full lists of issues resolved for this release check https://issues.jboss.org/browse/KEYCLOAK.
Remember to read the migration guide before upgrading as it contains vital information about what's changed and how to upgrade.
I have AngularJs based UI web app talking to RESTfull web services using Keycloak security.
Keycloak is running on a separate instance of Wildfly having https connection.
UI Web application has keycloak.json file with hardcoded Keycloak URL.
Everything works well with one problem: when I need to install my web application to a different environment I need to open WAR, modify keycloak.json with new URL and package it back.
Since we deliver the entire installation to the client, I don’t know their host names, so they have to open WAR, which is in-convenient.
Is there any way to avoid that?
Principal Software Engineer
5705 W Old Shakopee Road, Suite 100
Bloomington, MN 55437 USA
This message is only for the use of the intended recipient and may contain information that is CONFIDENTIAL and PROPRIETARY to MorphoTrust USA, Inc. If you are not the intended recipient, please erase all copies of the message and its attachments and notify the sender immediately.
I'm also quite new to Keycloak and had some trouble setting it up in the
That's why I wrote a small tutorial http://sebplorenz.blogspot.de/
Maybe it is of help for you.
Since you are not redirected to Keycloak at all, I would assume that either:
1. Your web resource is not listed in the <security-constraint> element in
2. Your <auth-method> is not set to Keycloak in web.xml or
3. Keycloak is not configured correctly in your standalone.xml server
configuration and therefore does not interrupt the access to the resource.
Good Luck. Sebastian
> ---------- Weitergeleitete Nachricht ----------
> From: Thomas LaPorte <Thomas.LaPorte(a)dreamworks.com>
> To: keycloak-user(a)lists.jboss.org
> Date: Tue, 31 Mar 2015 15:05:32 -0700
> Subject: Re: [keycloak-user] Help troubleshooting config
> Thanks to a list member for some debug setup help, I'm getting much more
> Now I can see (and confirm my suspicion), that something is not right and
> my resource is unprotected.
> For the example customer-portal app, I see that after the "callback-uri:
> ..." message, I get a "Sending redirect to login page:..." message.
> For my app, it goes directly to "AuthenticatedActionsValve.invoke"
> -- Tom
> On Tue, Mar 31, 2015 at 2:49 PM, Guy Davis <guydavis.ca(a)gmail.com> wrote:
>> Hi Thomas,
>> To dial up logging, try adding this to your standalone.xml file in the
>> logging subsystem and re-starting your Wildfly instance:
>> <logger category="org.keycloak">
>> <level name="DEBUG"/>
>> Then, be sure you have the right configuration in your web.xml of your
>> test WAR file. See the docs here
>> for details.
>> Hope this helps,
>> On Tue, Mar 31, 2015 at 3:30 PM, Thomas LaPorte <
>> Thomas.LaPorte(a)dreamworks.com> wrote:
>>> Apologies for cutting off by hitting send prematurely.
>>> On Tue, Mar 31, 2015 at 2:26 PM, Thomas LaPorte <
>>> Thomas.LaPorte(a)dreamworks.com> wrote:
>>>> Greetings. I'm a first-time user of Keycloak, trying to set up a simple
>>>> demonstration after the examples, however, I'm having 0% success in getting
>>>> my configuration correct enough such that my web resource is protected.
>>>> I have reduced my setup all the way down to a basic "HelloWorld.jsp" in
>>>> a WAR file that is deployed into the standalone Wildfly server that is also
>>>> hosting the Keycloak server.
>>>> I am convinced that it is a configuration step being missed somewhere,
>>>> as I can always access my URL without intervention from the Keycloak server.
>>>> My WAR file consists of the following:
>>>> 0 Tue Mar 31 14:20:20 PDT 2015 META-INF/
>>>> 68 Tue Mar 31 14:20:20 PDT 2015 META-INF/MANIFEST.MF
>>>> 0 Tue Mar 31 14:08:34 PDT 2015 WEB-INF/
>>>> 1584 Tue Mar 31 09:47:52 PDT 2015 WEB-INF/web.xml
>>>> 491 Tue Mar 31 14:08:34 PDT 2015 WEB-INF/keycloak.json
>>>> 308 Tue Mar 31 14:20:18 PDT 2015 index.jsp
>>> I have added my application to the demo realm by copying the
>>> customer-portal application stanza, and replacing the "customer-portal"
>>> with my app name:
>>> "name": "goalkeepers",
>>> "enabled": true,
>>> "adminUrl": "/goalkeepers",
>>> "baseUrl": "/goalkeepers",
>>> "redirectUris": [
>>> "secret": "password"
>>> At this stage I am just looking for suggestions on how best to
>>> troubleshoot my configuration? What logging properties can I set to enable
>>> more debugging? Or where else can I look for some clues as to the errors in
>>> my configuration?
>>> I fear I am missing something extremely fundamental, but I can't for the
>>> life of me see what it is.
>>> - Tom
>>> keycloak-user mailing list
Can anyone point me to some example Oracle configuration ?
Tom W. Nuernberger
Programmer Analyst IV
Texas Commission on Environmental Equality
12100 Park 35 Circle | Bldg. A | Austin, TX 78753