We get lots of errors like this:
2016-01-20 12:02:37,441 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-1) failed to turn code into token: java.net.SocketException: Connection timed out
and which makes the login slow or failed .
We are using keycloak 1.7.0 final and broke a SAML 2.0 IDP (ADFS). The wildfly app server and keycloak both are standalone.
I'm trying to upgrade Keycloak 1.2.0 Final to a newer version, encountered the following error while the system tries to update the database:
00:55:20,179 ERROR [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 60) Change Set META-INF/jpa-changelog-1.3.0.xml::1.3.0::firstname.lastname@example.org fail
ed. Error: Can't DROP 'FK_PMConfig'; check that column/key exists [Failed SQL: ALTER TABLE auth_table.PROTOCOL_MAPPER_CONFIG DROP FOREIGN KEY FK_PMConfig]: liquibase.exception.DatabaseException: Can't DR
OP 'FK_PMConfig'; check that column/key exists [Failed SQL: ALTER TABLE auth_table.PROTOCOL_MAPPER_CONFIG DROP FOREIGN KEY FK_PMConfig]
I have tried upgrading to 1.3.1 as well as to 1.7.0 directly, but the same error message was shown.
Can someone point me in the right direction?
Thank very much!
hi to all,
I'm facing up to the integration with Pentaho authentication mechanism.Pentaho authentication is based on Spring Security and i know Keycloak offers a Spring Security Adapter by which i can secure a spring-secured-application with keycloak authentication.
In particular i'd like to know if org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider is fully compliant with Pentaho login authentication in term of userDetails too.At a first glance the answer seems to be YES.But before i undertake a deeper integration process (which will take me time and a maybe a big activity effort), could be userful to know if i m missing something important i have to fight with.Thanks a lot.
Would anyone be willing to point me to some good working examples that
are REST services built with Spring Boot but can leverage Keycloak for
authentication? I had no trouble integrating a webapp with the SAML
protocol, but this OpenID Connect (/Oauth2?) area of things is really
All I'm trying to do is security the REST endpoints I made and then
when I actually hit a controller, also be able to pull some role or
attribute information off the Authentication token.
I tried to cobble together something using the reference guide and the
adaptors sections, but to no avail. In particular I followed the 8.9
Spring Boot Adaptor but I get 302s and a this in the response if i try
a rest client...
2016 Jan 14 18:41:13
At any rate, I tried some extra spring security and other mentions
down further in the guide, but I'm definitely digging myself into a
little hole! Any help would be greatly appreciated!
Possibly uneducated guess with this subject, can Spring Security OAuth
be used with this? Probably can't with the OpenID JWT responses?
I was trying to configure Swagger UI (http://swagger.io/swagger-ui/) so it
will use Keycloak for OAuth2 authorization.
Swagger UI supports the 'Authorization Code Grant' flow and the 'Implicit
Grant' flow. I managed to configure Swagger UI to use the 'Authorization
Code Grant' flow, but I did not succeed with the implicit flow.
I think this is because Keycloak expects the response_type url parameter to
be 'id_token token', while Swagger UI uses the url parameter
rfc6749 also states (https://tools.ietf.org/html/rfc6749#section-4.2.1)
that the response_type parameter should be 'token'. So why is it that
Keycloak requires the value 'id_token token'?
Is it possible to configure Keycloak, so it will accept 'token' as
As the the KeyCloak docs (
You can bundle a theme into a jar and deploy it as a wildfly module.
This all works fine but the module is not hotdeployable. Whenever you do
changes, you need to remove the module, then add it again and restart
As you can imagine this is not ideal.
I trying to deploy the jar as a normal deployment as in Wildfly you can
deploy jar file like you do war files.
When you deploy like this, the module name is deployment.javafilename.jar
Then I added this name to the keycloak-server.json file but when I restart
KeyCloak, it is not identifying the module.
Is there any other war where I can get my themes to reload once I redeploy
Note that as per the Keyclok docs, I disabled theme cache as well.
We have two applications which provides webinar functionality.
1) Provisioning app-- Organizers provision webinar and manage their
account. Since organizers are Keycloak users, I can secure provisioning app
out of the box.
2) Webinar app-- The users of this app are organizers and participants.
Participants are no more provisioned as Keycloack users. Those are guest
My question is how do we secure second app with keyclock?
* Note*: Both apps will be under same realm.
Is there anyway to secure with custom field like webinarId which is passed
as a parameter?
Or something better solution?
Under same realm securing one app with keycloak users and other app with
Thanks for the great work.
Thanks & Regards
I'm facing some issues with the Role Mapping of user accounts in Keycloak Server (v1.7.0) which are imported from our Active Directory.
I configured the User Federation and added some Role Mappers to map AD groups to Realm Roles.
The user accounts are imported from AD and the Groups are added as Realm Roles.
But the Roles are not assigned to the User Accounts inside Keycloak after the Import.
Finally I could break the issue down to the naming scheme in our Active Directory:
Our IT adds users as "CN=<LastName>, <FirstName>" and "DN=<LastName>\, <FirstName>,OU=...,DC=...,DC=..."
The DN (with escaped comma) is also used as Group member attribute.
It seems that Keycloak has an issue with special characters in CN / DN.
Is there anything I can do in my current Keycloak instance or needs this to be fixed in an upcoming version of Keyclaok?
Testing Engineer Security
Barco Control Rooms GmbH
D - 76229 Karlsruhe
Telefon +49 721 6201 461
Registered at 76229 Karlsruhe, Amtsgericht Mannheim, HRB 102241,
Management: Lutz Nehrhoff von Holderberg
This message is subject to the following terms and conditions: MAIL DISCLAIMER<http://www.barco.com/en/maildisclaimer>
How can I get direct access grants for a user set up with totp?
I tried posting the totp code, but received this error.
"error_description": "Account is not fully set up"
Invenco Group Limited
O: +64 9 905 5673
Disclaimer: This email is confidential and may be legally privileged.
If you are not the intended recipient you must not use any of the
information in it and must delete the email immediately.
The project I am currently working on has its own unique encryption
I would like to know if it is possible to change the default keycloak
encryption with my own module?
This email and any accompanying attachments may contain confidential and
proprietary information. This information is private and protected by law
and, accordingly, if you are not the intended recipient, you are requested
to delete this entire communication immediately and are notified that any
disclosure, copying or distribution of or taking any action based on this
information is prohibited.
Emails cannot be guaranteed to be secure or free of errors or viruses. The
sender does not accept any liability or responsibility for any
interception, corruption, destruction, loss, late arrival or incompleteness
of or tampering or interference with any of the information contained in
this email or for its incorrect delivery or non-delivery for whatsoever
reason or for its effect on any electronic device of the recipient.