I have 2 bearer rest layers (A,B): A calls B. In front I have an angular
web layer calling A -> B.
What is the best practices to handle "Token is not active" when user sits
in front idle and token becomes inactive, http session still valid but KC
token expired? If B reaches token not active, on the call from A to B -
how would I propagate this to the front layer?
A has to consume the ValidationException from B and notify front layer to
auto logout or prompt the user with a message saying 'your session
expired, please login' or automatically throw the user into the login
prompt in front.
For this scenario above, anyone share some thoughts?
I have a basic question which I searched through the documentation but was
not able to find.
Can you please let me know which flow is supported by keycloak for OpenId
on jboss platform.
I am exploring openID connect as a way to secure my Java applications using
These applications are hosted on jboss.
How can we make single sign out work when passing bearer tokens to a server guarded by a «traditional» session based Oauth2 client / adapter?
One solution could be to detect the creation of a session, and internally via an extended REST API tell the Keycloak server to create a session also for the client with admin URL (connecting it to the created session ID). But it just sounds as if this should be covered out-of-the-box, so maybe I’m just missing or misunderstanding something...
We found an issue with the COMPOSITE_ROLE DB table, the issue might have occurred when creating multiple realms in parallel.
We noticed that create realm API fails on timeout and DB showed locks on table COMPOSITE_ROLE.
Further investigation revealed that the COMPOSITE_ROLE table contains a lot of duplicate rows, instead of about 4000 rows there were over a million rows.
Deleting the duplicate rows solved the issue.
Any idea what might have caused the duplicated rows ? or how to prevent it ?
Also we have about 4000 rows in the COMPOSITE_ROLE row, does it make sense for about 160 realms ? (maybe we need to do some cleanup)
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
can we use bearer-only with authorization ?
if it can be , how can we use ? are there any example ?
when i try to use with photoz example , i get bad request (or 403 i am not
sure , i change a lot of thing)
Because i don't want redirect or store session , it can be used by mobil
Thank you for helping
We are planning on using Keycloak to authenticate users in our environment. There will be multiple sources of user logins.
1. Local to Keycloak
2. Using a Federation provider to pull accounts from on a one time basis (The first time the user logs in they will authenticate using the p/w in the Federation server, and subsequent logins will occur entirely in Keycloak)
3. Using a third party IDP (Like Microsoft/ Google/ etc.) But the initial source of these accounts might be local in keycloak.
I of course can do #1, and know how to do #2. For #3 I have the external 3Rd party IDP working.
But what we would like to have is this:
1. A user goes to a form in which they enter the username only.
2. If the user is new, it asks them to create an account
3. If the user is new, but we know the login to be associated with a third party IDP, we go there, and link the account.
4. If the user is not new, and if they are linked to third party IDP, it automatically loads that IDP page without having to pick that login.
Here is the workflow we are thinking.
An admin adds a list of accounts (either csv, or somehow else) into keycloak, but it says that all these accounts need to be authenticated by some third part IDP. So when a user logs into Keycloak and enters their password, it automatically redirects the user to the 3rd part IDP and then associates the local keycloak login with the IDP without having to do too much.
Does this make sense?
The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.
This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website.
I need to the create bearer token by admin on behalf of other users.
1. I have admin user and password.
2. I have the user name (e.g. bob).
3. I want to create the bearer token and to access the bearer client.
4. When I access the bearer client with the bearer token it authenticates user (e.g. bob).
How can I do it?
Thank you for your help,
We would like to a add custom attributes (using custom logic including custom database queries) to the user session in Keycloak on authentication. What is the best way to do this? We use an LDAP/AD user federation provider.
Should we write a custom user attribute mapper and add it to our user federation provider? I guess we could also write a custom token mapper and misuse it a little in that it will only add data to the user session and not to the token?
Previously we had a custom token mapper that added this custom data to the token, however it is becoming too much data and we have reached the max size limit (JWT tokens are transported as HTTP headers and those have a max size of 8kb). So now we are thinking of adding this data to the user session and Keycloak and when we need it later on get it from Keycloak using Keycloak’s REST API.