The proxy makes a call to Keycloak with a Bearer token and the correct X-Forwarded-* headers. Keycloak/Wildfly is configured with proxy-address-forwarding=true.
The request is authenticated in Keycloak with this line in AuthenticationManager.java:
AccessToken token = RSATokenVerifier.verifyToken(tokenString, realm.getPublicKey(), Urls.realmIssuer(uriInfo.getBaseUri(), realm.getName()), checkActive, checkTokenType);
This assumes that the "configured issuer" of a token is the JAX-RS UriInfo#getBaseUri() and fails with:
2016-05-21 23:52:37,109 DEBUG [org.keycloak.services] (default task-16) Failed to verify identity token: org.keycloak.common.VerificationException: Token audience doesn't match domain. Token issuer is http://localhost:8080/auth/realms/master, but URL from configuration is http://192.168.99.100:8081/auth/realms/master
The UriInfo#getBaseUri() does not take the X-Forwarded-* headers into account.
How can I call the API with a token obtained through a reverse proxy?
I was wondering, is there an API JAR that would allow me to interact with
Keycloak in a more type safe way? I've been through the REST api and I
suspect it will do everything I need, but the work to actually build out
the client seems pretty heavy, so having an existing client sounds pretty
I am trying to create admin user for a specific realm programmatically, I am able to create the user, however I can't assign the realm client roles to it.
For example in the UI I would go to the user 'Role Mappings' choose the realm client role and move the required roles from the Available section to the Assigned.
When I try to it programmatically I am getting 404, my code is below, note that I am getting 404 on the last line - adminUserClientRole.listAvailable())
createUserAndPsw(keyCloakClient, "master", user);
RealmResource realm = keyCloakClient.realm("master");
UserResource userResource = realm.users().get(user.getKeyCloakId());
RoleMappingResource roles = userResource.roles();
RoleScopeResource adminUserClientRole = roles.clientLevel(tenantId + "-realm");
Any advice will be appreciated.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
During a partial import and selecting OVERWRITE , Keycloak throws the following error:
UT005023: Exception handling request to /auth/admin/realms/test/partialImport: org.jboss.resteasy.spi.UnhandledException: org.hibernate.LazyInitializationException: failed to lazily initialize a collection, could not initialize proxy - no Session
Is this feature broken in keycloak 1.9.1.FINAL?
I'm trying to change a parameter in an identity provider? Is this possible through this method?
I also get the error when I try to import the full identity provider, for which the partial import works when It does not exists.
This message is subject to the following E-mail Disclaimer. (http://www.crv4all.com/disclaimer-email/) CRV Holding B.V. seats according to the articles of association in Arnhem, Dutch trade number 09125050.
Hi, is it possible to configure Keycloak to run with Jetty Maven Plugin? Have anyone done this?
I didn't find an equivalent way to do the steps below at the pom file.
java -jar $JETTY_HOME/start.jar --add-to-startd=keycloak
I was able to configure Keycloak to run with Tomcat Maven Plugin.
If anyone needs help with that, let me know.
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
I get this error when migrating my database and upgrading to 1.9.3:
"Property 'databaseSchema' needs to be specified in the configuration
I have this in my keycloak-server.json file:
I have configured Openshift + Keycloak as Identity Provider
This request which was working with version 1.9.2.Final
doesn't work anymore with 1.9.4.Final --> Invalid parameter: redirect_uri
is displayed within the web browser
The server reports this error :
19:09:34,964 WARN [org.keycloak.events] (default task-5) type=LOGIN_ERROR,
realmId=openshift, clientId=openshift, userId=null, ipAddress=192.168.1.80,
error=invalid_redirect_uri, response_type=code, redirect_uri=
Do we have to change something within the config (clientId, ...) ?
I have a client with a service account and credentials using Signed Jwt.
Authentication works fine. The service uses
to create the JWT token and set the headers, and I get back a JWT
containing an access token from Keycloak.
However, when I use jwt.io to look at the access token, I can't validate
the signature. This is true whether I use the client Certificate (from
the client's Credentials tab), the Realm public key, or the Realm
Certificate. In addition, I have generated the client's public key from
the certificate using
keytool -exportcert -alias x -keypass y -storepass z -rfc -keystore
client-keystore.jks | openssl x509 -inform pem -pubkey
on the jks file supplied when I generated the client credentials, and
that doesn't work either.
We've also been having trouble validating the signature programmatically
Any idea why I might be seeing this?
http://www.fastmail.com - Or how I learned to stop worrying and
love email again
We're running into an issue unchecking a checkbox in our account theme and
came across the following post with no answer. As Libor asks the question
elegantly, I'll copy his text verbatim and hope someone now has an answer.
I’d like to use user attributes to store information like “Subscribe
to newsletter” which is obviously checkbox.
How should I implement it in my account.ftl?
I have in account.flt:
<label for="user.attributes.newsletter" class="control-label">
<input type="checkbox" class="form-control"
id="user.attributes.newsletter" name="user.attributes.newsletter" <#if
When I tick it and submit form everything is OK but when untick it and
submit then checkbox is still checked.
I guess it’s because checkbox state is included in HTTP Form Data only
when it’s checked.
How to handle this in KC UI ?
I remember that other frameworks used some hidden fields to post the
information either if checkbox was ticked or not. But I’m not sure how
KC GUI framework handle this use case.
Libor Krzyžanekjboss.org <http://jboss.org/> Development Team