I am trying to set up an iOS app that works with a Ninja (JVM/Java 8)
server and keycloak.
More info on ninja - http://www.ninjaframework.org/
I am using aerogear to get a jwt directly from the keycloak service. I then
want to pass the jwt back to my ninja (JVM) back-end service.
I know I can validate the token without hitting the keycloak service to
some degree, but say I wanted to get the user info or verify the id of the
token, and that it has not been revoked, how would I go about contacting
the keycloak server? I am not using any sort of special security or signing
on my jwt tokens. Do I use the authz or admin client? Any specific
examples to look at?
I tried to implement one of the adapters but did not have any luck. I was
hoping to set up a simple example like
Except instead of getting the token using username/password I was hoping to
use my jwt that I got from the front-end.
Is this supported by the Java clients as is, or do I need to write my own?
It seems like this is discouraged in favor of the server side adapters but
I am just trying to get started by validating my tokens and was not able to
get any of them working with ninja.
Since version 2.5 it is possible to choose other signing mechanism than RSA in the realm-administration. To enhance performance, I tried out to induce keycloak to use HMAC for token signing, but it seems, that this does not work: HMAC is ignored despite the priority settings and login will even fail, if HMAC key is the only active/enabled key. It would be nice (and esssential for our purposes for performance issues) to be able to change the signature algorithms and if elliptic curves would be provided as a fast asymmetric alternative to RSA as well. Is this projected for a near-future version?
Best regards, Eduard Matuszak
How do I disable PKCE in Keycloak 3.1.X? I am having some
compatibility issues with another 3rd party tool, and am trying to get
around the issue until I can figure out the root cause/solution.
We'd like to be able to store somewhat standard user attributes that
complete the email, first and last name values that Keycloak 'natively'
stores. Think of things like a date of birth, home/work address, phone
number, etc. Additionally, we'd like to be able to find users based on a
search query. We'd like to be able to answer questions like: "how many
users live in London?"
So far, we've found the user attributes, where we could store this
information. That is a very generic solution though. Are there standardized
attribute names, profiles, that we can use?
A further challenge is that we'd like to be able to query the user base,
based on attributes. We'd like to find people by address, by date of birth,
etc. The REST API does have search functionality, but it doesn't look like
you can find users by attribute value.
Can anyone recommend a course of action here?
we have two applications, one in SAML and the other in OIDC and we would
like a person logging in one of them and being SSO in the other, same
for the logout.
Is Keycloak implementing this functionality? If yes, how?
We'd like to have a log when 'Logout All Sessions' action occurs - if user
clicks it. I see that AdminEvent is sent when - well - admin clicks it;)
and actually other request is sent. Is it done by purpose or maybe do you
plan in the future to send a 'normal' Event in that case? some other
Many Thanks in advance!
we have adopted Keycloak as foundation for our identity services since the
beginning (july 2015) and after an initial development period we developed
our federation/mail/whatever providers we fixed the underlyng Keyckoak
version to 1.7.0 for more than one year.
Recently we have upgraded to Keycloak 2.5.5 doing a big reworking related
to the new architecture of the former Federation providers, etc...
The first impression is the it is more robust and stable, but it seems to
be slower then the 1.7.0 version. Without any SPI installed, using a raw
keycloak realm, on the same machine the pure login via OpenId Connect
30 ms on Keycloak 1.7.0 (average value after 100 logins)
100 ms on Keycloak 2.5.5 (average value after 100 logins)
We get the same gap both with H2 and Oracle database.
If we mount our SPI providers (User Storage and others), the gap is greater
but of course it could be an issue into our code after the migration to the
new SPI architecture.
Is there a specific reason for this gap? (i.e. a better management of the
Is there a specific setting/strategy to improve the performance?
The configuration has been tested both on Linux and Windows on a standalone
server. The Wildfly -Xmx has been set to 1g on both the Keycloak version.
I'm using KeyCloak in Version 3.0.0.Final and having trouble with an Angular 2 application which runs regularly into the problem that the refresh token is expired.
I've tried to increase the token timeouts but it seems the refresh token still expires too quick. My configuration is as follows:
- SSO Session Idle: 2 days
- SSO Session Max: 10 hours
- Offline Session Idle: 30 days
- Access Token Lifespan: 5 minutes
- Access Token Lifespan For Implicit Flow: 15 minutes
- Client login timeout: 1 minute
- Login timeout: 30 minutes
- Login action timeout: 5 minutes
Please note, the refresh often works but after some idle time it is pretty common that the refresh token is expired. I'm using the implementation of the official angular 2 example in the KeyCloak github repository.
I'm also using the same realm with a Spring Boot Bearer Client but I guess that this does not affect token of the Angular client, right?
I've thought that increasing the SSO Session Idle would solve the problem but it is not. How can I extend the expiry time?
My mobile app is connected to the server using bearer-only tokens. The
tokens were obtained using username/password.
A particular screen in the app requires the user to re-enter the password,
so that the password can be verified at the server-side.
Is there an elegant REST or Java API to perform a simple password
verification, besides a call to /protocol/openid-connect/token endpoint,
which brings all the tokens?