I am building a multi-tenant mobile application that uses keycloak as a SSO server. We will pre-load users in keycloak using their email address as their username with a separate realm for each tenant. When a user logs into the mobile app I need to detect the realm from a user's email domain and redirect to the appropriate authorisation end point for the realm. Has anyone faced a similar problem?
My thoughts at the moment is to build a proxy api that the mobile application redirects to that prompts the user for their email address, look up the configured tenant form the email domain and redirects to the appropriate realm's login page passing the mobile app credentials it passes to the proxy api and the entered user email as a login_hint.
Can anyone see any issues with this approach? Or a suggest a better approach?
Hello all,I’m working on an organization-based service and want to have resource-specific permissions that are restricted by (from a user perspective) organization-specific roles. Since I’m not familiar with the specific terminology, I’m thinking of something similar to how GitHub manages their permissions:- A single user can be a member of multiple organizations- A user can have a different roles with different organizations that grant them access to all of an organization's resources- A user can have access to a specific resource- That organization-specific role determines access to different organization resourcesAre there any best practices or patterns for this model? Thanks!Justin
I'm trying to sync the LDAP groups into Keycloak but it doesn't update the
membership if I add or remove it from a group in LDAP.
I was able to sync the groups and its users into Keycloak correctly if
those wasn't provisioned before. For example, if the user already exists in
Keycloak DB (provisioned from LDAP) and I remove it from a LDAP group (also
provisioned from LDAP), the user in Keycloak continues to being a member of
the group in the Groups tab of user's details screen and in client's group
mappers. However, if I open the Members tab of group's details screen the
user was removed from the group.
Is there any way to solve this problem? Because of my company policy I
can't use Keycloak to manage the groups.
I'm using Keycloak 2.5.1.
Thanks for the help
Dear Keycloak users.
I am very new to keycloak and I really like it. it is great.
I am currently migrating a legacy app ( using it's own user management ) to
I have set-up keycloak with openid connect and it works very well. At this
point we need to decide
if we will use keycloak as our main user store or we will set-up an LDAP.
My question is that. Is keycloak designed in a way that it can fullfil all
the responsibilities of the main user store?
Any risk with this at all?
ps: our userbase is small and at this point I am not sure if we want to add
ldap just for this.
*Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I *
Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to
authenticate (both SP initiated and IdP initiated) it fails with this error
01:40:54,626 WARN [org.keycloak.events] (default task-7)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null,
userId=null, ipAddress=172.17.0.1, error=staleCodeMessage
01:40:54,627 ERROR [org.keycloak.services.resources.IdentityBrokerService]
(default task-7) staleCodeMessage
I suspect its a setup issue on my side, so was hoping someone else has
tried this and can give tips. I even tried the import feature, no luck.
Would therebe any way to pass additional attributes (say, something from a
REST API call's headers or body) to an authorization request, and access it
Evaluation API currently is pretty limited.
What is the best setup to develop custom SPI for Keycloak. I just skimmed the example codes in github and wondered on how to test my codes. Not TDD way of testing but a simple, hey, will this run properly?
Anyway, the reason I need to extend this is to create an authentication flow that will use your internal SMS api for subscriber verification.
I'm running a keycloak instance from a docker image, so when I start the
container everything is up an running. Now I want to export the realms
and users to deploy it in production and I've got two chances:
1- Copy the values from the mysql database (I'm using the keycloak-mysql
2- Run the standalone.sh export command.
I would like to go the second way, but I'm into trouble since the
widlfly server is launched with the docker container altogether. I can
browse in to it for the standalone.sh script, but still haven't found a
way to stop it (as the server is launched I get a "Address already in
use" error when I try to perform the export while the server is running).
Any ideas? Thanks in advance
Aritz Maeztu Otaño
Departamento Desarrollo de Software
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
I'm trying to use the REST API of keycloak to seed an initial config for
tests that depend on keycloak, but I only found this doc:
Are there better docs somewhere else?
If not: they barely explain what the entities are, and don't tell me
which parts are settable, required, or server-generated. They also
contain some links to types that are not documented (like Map), and
don't explain how to get a token to play along (found that somewhere
completely different). A set of examples with each endpoint and entity
type would be _greatly_ appreciated too. Otherwise there's a lot of
guesswork involved :(
Otherwise, pretty impressed with the rest of KeyCloak, so don't take
that issue harshly :)