Dynamically assign role at user registration
by mark
When a user registers with my application via Keycloak I want to assign a
particular role depending on the way they have registered (to be
determined). From the documentation it appears I can use the scope
parameter - but how? Can anyone point me to an example?
Thanks
7 years, 7 months
Keycloak authorization support for spring boot.
by Rong -
Hi,
I am trying to set up a keycloak as an independent server for authorization purpose. Our rest API service is built on spring boot, implemented as a resource server as for "policy enforcer". However, I have many issues when trying to set this up.
1. spring boot works fine if I only set up the security constraints(for rest api) in configuration file. But I want to enable policy enforcer for spring boot, is this possible? Is there some example for how to enable policy enforcer in spring boot, especially for how to set up those parameters?
2. We also want to have an access control list of which user can access which project, I have set up a "user policy" in keycloak admin console in client's "authorization", whet else shall we do in spring boot configuration?
3. If I enable policy enforcer in authorization layer (in spring boot), is it still required to add the security constraints in spring boot's application properties? I assume if authorization is enabled for resource server and the web service/URL constraints are added in resource server's policy, there should be no further settings in configuration for the security constraints?
Thanks,
Rong
7 years, 7 months
Unable to create user with roles using Rest API
by Hylton Peimer
I have created a new Realm and added a role: "DOCTORS".
POST to /admin/realms/{realm}/users
With the following JSON:
{"realmRoles":["DOCTORS"],"enabled":"true","username":"drhp"}
This invocation creates the user, but the "DOCTORS" role is not assigned.
The rest call is using a bearer token obtained from an administrative user
in the master realm.
7 years, 7 months
Rebalcing problem while adding a new node to a domain
by Elnaz razmi
We chose to install domain mode keycloak in our company. We have a load
balancer and three slave nodes. It's working properly with two active node
but when we want to run the third node to connect to load balancer, load
balancer don't rebalance with new node. It just say that node is regestered
but it don't show these lines as we can see in other node connect process :
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for cache work, topology CacheTopology{id=3,
rebalanceId=2, currentCH=ReplicatedConsistentHash{ns = 60, owners =
(2)[master:server-one-master: 30, srvca61-site232:server-threeslave: 30]},
pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-site232:server-threeslave: 20,
srvca61-site231:server-twoslave: 20]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for cache loginFailures, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for cache authorization, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for cache sessions, topology CacheTopology{id=3,
rebalanceId=2, currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for cache offlineSessions, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache sessions, topology id = 3
7 years, 7 months
Spring Boot adapter with HTTP verb based authorization
by Andreea Ciuprina
Hello!
We are building an online application for which we are using Keycloak for authentification and authorization, connected
to our Spring Boot backend using the Spring Boot adapter.
We would like to achive more fine-grained authorization, more specifically, we would like to set-up HTTP verb based
authorization, for example, allow only GET requests for some end-points, GET and POST for others, only POST for other end-points etc.
I am aware of the Policy Enforcer adapter, but I could not find any specific documentation regarding how to use that with Spring Boot, where there is
not keycloak.json file used for configuration.
Therefore, my questions are:
1. Can HTTP verb based authorization be achieved using the Spring Boot adapter?
2. If the answer to question 1 is yes, then could you please provide a minimal configuration example?
Thank you!
Best regards,
Andreea
---------------------------------------------------------
Andreea Ciuprina
Bioinformatics Group
Max Planck Institute for Marine Microbiology
Celsiusstraße 1
28359 Bremen
Germany
Phone: +49(0) 421 2028 982
Email: aciuprin@mpi-bremen.de
&
Jacobs University Bremen,
28759 Bremen, Germany
Email: a.ciuprina@jacobs-university.de
7 years, 7 months
(no subject)
by Elnaz razmi
We chose to install domain mode keycloak in our company. We have a load
balancer and three slave nodes. It's working properly with two active node
but when we want to run the third node to connect to load balancer, load
balancer don't rebalance with new node. It just say that node is regestered
but it don't show these lines as we can see in other node connect process :
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for cache work, topology CacheTopology{id=3,
rebalanceId=2, currentCH=ReplicatedConsistentHash{ns = 60, owners =
(2)[master:server-one-master: 30, srvca61-site232:server-threeslave: 30]},
pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-site232:server-threeslave: 20,
srvca61-site231:server-twoslave: 20]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t44) ISPN000310: Starting
cluster-wide rebalance for cache loginFailures, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000310: Starting
cluster-wide rebalance for cache authorization, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t39) ISPN000310: Starting
cluster-wide rebalance for cache sessions, topology CacheTopology{id=3,
rebalanceId=2, currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t43) ISPN000310: Starting
cluster-wide rebalance for cache offlineSessions, topology
CacheTopology{id=3, rebalanceId=2, currentCH=DefaultConsistentHash{ns=80,
owners = (2)[master:server-one-master: 40+0,
srvca61-site232:server-threeslave: 40+0]},
pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache offlineSessions, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache authorization, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t42) ISPN000336: Finished
cluster-wide rebalance for cache loginFailures, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache work, topology id = 3
[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000336: Finished
cluster-wide rebalance for cache sessions, topology id = 3
7 years, 7 months
(no subject)
by Elnaz razmi
what is feature of keycloak-3.1.0.final released?
7 years, 7 months
Spring security adapter for SAML
by Pulkit Gupta
Hi Team,
I have a application with Spring security configured.
We are trying to migrate the same to keycloak.
Do we have a spring security adapter for keycloak with SAML.
I went through the documentation and can see that we have a spring adapter
but that is for open ID connect.
--
Thanks,
Pulkit
AMS
7 years, 7 months
