I'm trying to use the REST API of keycloak to seed an initial config for
tests that depend on keycloak, but I only found this doc:
Are there better docs somewhere else?
If not: they barely explain what the entities are, and don't tell me
which parts are settable, required, or server-generated. They also
contain some links to types that are not documented (like Map), and
don't explain how to get a token to play along (found that somewhere
completely different). A set of examples with each endpoint and entity
type would be _greatly_ appreciated too. Otherwise there's a lot of
guesswork involved :(
Otherwise, pretty impressed with the rest of KeyCloak, so don't take
that issue harshly :)
We are using KeyCloak for a several weeks now, one of the flows is user script authentication with offline token:
1. The user log in to the UI
2. Generates offline token by entering his password again
3. Put the offline token in his script
4. Executes the script
Now we want to add external IDP support, first is it possible to generate offline tokens for extremal IDP in KeyCloak ? if so how ?
Second in section #2 above the user enters his password to generate the offline token, with external IDP we can't use his password, one alternative is to always generate the offline token in the login (add offline_access), however is it make sense to create offline token for every login ?
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
I need a help with user impersonation on keycloak.
I am authenticating users through the
"/realms/test/protocol/openid-connect/token". As expected, it returns a
In my app, all requests go through apiman, which validates the JWT.
Now, I need to personification of user. I'm calling the service
"/admin/realms/test/users/USER_ID/impersonation", sending the token in the
header (Authorization = Bearer eyJhbGciOiJSUzI1NiJ9 ...).
The service /impersonation creates the user session on keycloak, however
doesnt return a JWT, but 3 cookies. *I'd like to get the JWT of personified
user instead of cookie.* It's possible?
I adding keycloak into a legacy application that uses GWT and Jetty.
I have managed to get add Keycloak application using Spring-security.
Because this is GWT I am doing the authorisation in the application myself.
Sping just provides a way to get access to the KeycloakSecurityContext.
The issue I have is refreshing the token. I can get hold of
a RefreshableKeycloakSecurityContext instance
and use that to get a refresh token. What surprised me is that I cannot
refresh a token if the roles have changed.
Is this correct. I was hoping that the application could notice the role
changes and adapt itself on the fly.
I do not want to have to logout to get the new roles it at all possible. Is
there something that I have overlooked that will allow
me to use the idToken to get a new accessToken given that the
authentication of the user is still valid, it is just the roles the user is
in that have changed.
I'm using the entitlement API to protect the resources of my API.
Sometimes the user gets a "not authorized" message, and it's hard for him
to known why.
Is there any way to provide the user why more information with why it was
Something similar with the infos provided by the "evaluate" panel, but with
Hello Keycloak Users,
Ultimately, what we want to do is have three nodes in one Kubernetes
namespace that define a cluster. Then be able to add three more nodes to
the cluster in a new namespace that shares the same subnet and database,
then kill off the original three nodes, effectively migrating the
cluster to the new namespace and do all this without anyone being logged
out. The namespace distinction is invisible to Keycloak, as far as I can
What we have tried:
* Start with 3 standalone-ha mode instances clustered with
* Set the number of cache owners for sessions to 6.
* Start the three new instances in the new Kubernetes namespace,
configured exactly the same as the first three - that is, same db, same
number of cache owners.
* Kill the original three
But it seems this caused offlineSession tokens to be expired immediately.
I found this in the online documentation
> The second type of cache handles managing user sessions, offline
tokens, and keeping track of login failures... The data held in these
caches is temporary, in memory only, but is possibly replicated across
> The sessions, authenticationSessions, offlineSessions and
loginFailures caches are the only caches that may perform replication.
Entries are not replicated to every single node, but instead one or more
nodes is chosen as an owner of that data. If a node is not the owner of
a specific cache entry it queries the cluster to obtain it. What this
means for failover is that if all the nodes that own a piece of data go
down, that data is lost forever. By default, Keycloak only specifies one
owner for data. So if that one node goes down that data is lost. This
usually means that users will be logged out and will have to login again.
It appears, based on these documentation comments and our experience,
that the "source of truth" regarding offlineSessions is the data in the
"owner" caches, is NOT the database, as I would have expected. It also
seems to be the case that if a node joins the cluster (as defined by
JGroups/JDBC_PING), it will NOT be able to populate its offlineSessions
cache from the database, but must rely on replication from one of the
1. Is the above understanding regarding the db vs cache correct?
2. If so, please explain the design/reasoning behind this behavior.
Otherwise, please correct my understanding.
3. Is there a way to perform this simple migration without losing any
var keycloak = Keycloak();
alert(authenticated ? 'authenticated' : 'not authenticated');
alert('failed to initialize');
Since I updated Keycloak I get the message 'failed to initialize'.
It was working well with the previous version of KC 3.2.
What could it be? How can I get a better error message?
I'm evaluating keycloak and identifying the possibility to provide SSO
services on non protected (public) pages.
Assume the following environment:
/protected is the restricted area of the portal, that only logged in
users may access
/public is the public area where both logged in and anonymous users may
I'm trying to achieve the following
- User logs in @ https://site1.example.com
- SSO session and site1 session are created
- User goes to public area of site2, https://site2.example.com/public
- User is automatically logged in (site2 session is created)
It seems that the above is not possible with OIDC / SAML since the user
has to land on a protected page to initiate federation, or perform an
action (e.g. click a button).
Any other thoughts, feedback?
Thanks in advance,