My keycloak configuration has password policy enabled for all users and it also has the Not Recently Used part specified to some number.
I have a simple use case:
1. I create user
2. I set a password for this user
3. I delete this user
I repeat this step again, with the same username and password and I get an error on 2nd step which is "Invalid password: must not be equal to any of last x passwords.”
The problem is, I can only have this error on admin API, if I do it on the admin UI then I don’t get it.
Now obviously if it was the same “user” it would make sense, but since I delete this username and create a new user, which has different user ID; then I would expect it to behave differently.
I am using Keycloak 3.1.0 and Java adapter which has 3.1.0 as well. The below are the code
1. Creating user:
2. Resetting password of the user:
CredentialRepresentation passwordCredRepresentation = new CredentialRepresentation();
UserResource userResource = keycloak.realm(usersRealm).users().get(keycloakId);
3. Deleting the user:
I definitely know that delete user works because once I run this, I don’t see any user and when I run create user code, I can see a user account with different ID.
My question is, is this intentional or a bug? If it is intentional, then how can I clear user’s password history? I tried looking that up in admin api but could not find any call.
I am having trouble finding libraries to implement a Keycloak client for
So far, I have found AppAuth and Androgear in keycloak.org, but I am not
convinced about their simplicity.
Has anyone implemented a simple client for Android?
Thank you very much.
I am using Keycloak openID endpoint to retrieve access token from keycloak
server using Direct Access Grant mode. I found each time a NEW request is
made using SAME user account/credential, Keycloak returns a *NEW *access
token. (So I can see the same user with multiple sessions)
In this way, I am not sure if a refresh token is still needed, because we
can basically get a new token for each request and NOT care about the
Is this expected? Is same user supposed to have many access tokens? Is there
any potential issues to work in this way?
View this message in context: http://keycloak-user.88327.x6.nabble.com/Same-user-with-multiple-sessions...
Sent from the keycloak-user mailing list archive at Nabble.com.
I referred to the Keycloak Example - Kerberos Credential Delegation https://github.com/keycloak/keycloak/tree/master/examples/kerberos and was able to run it end to end.
I even pointed to our Kerberos environment (Hadoop HDP 2.5) and found it working great.
Hitting the web app URL I get the challenge response header WWW-Authenticate: Negotiate and then the browser uses GSS-API to load the user's Kerberos ticket from ticket cache of the form Authorization: Negotiate YII. This works perfectly fine and I am authenticated via Kerberos and landed up in my web app.
GSSCredential deserializedGssCredential = org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(serializedGssCredential);
// Create GSSContext to call other kerberos-secured services
GSSContext context = gssManager.createContext(serviceName, krb5Oid,deserializedGssCredential, GSSContext.DEFAULT_LIFETIME);
As I am a bit new comer to GSS API I cannot figure out how to use GSSCredential to call other kerberos-secured services which in my case is Hive Server 2 via JDBC and HDFS.
Is there some reference or examples that I can refer and use the GSSCredential object to access Kerberized services like Hive Server 2 via JDBC and HDFS?
NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
We have a business use case, where we'll have a realm with 50+ SAML clients
configured and we want to update the SAML key for the realm (either for
security reason or the certificate got expired),
I was reading following section but it seems mostly focused on OIDC.Can
someone please share how does KeyCloak handle this for SAML? Important
thing to realize is, we cannot imagine our customer to update realm
certificate in all 50+ service providers at the same time.
Thanks, this looks perfect for my use case.
On Jun 1, 2017 2:25 AM, "Schuster Sebastian (INST/ESY1)" <Sebastian.Schuster(a)bosch-si.com> wrote:
Both should be possible. For 1) have a look at https://keycloak.gitbooks.io/documentation/content/server_admin/topics/id...
and for 2) look at https://keycloak.gitbooks.io/documentation/content/server_admin/topics/id...
Mit freundlichen Grüßen / Best regards
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Schöneberger Ufer 89-91 | 10785 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn
> -----Original Message-----
> From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-
> bounces(a)lists.jboss.org] On Behalf Of Christie, Marcus Aaron
> Sent: Mittwoch, 31. Mai 2017 21:19
> To: keycloak-user(a)lists.jboss.org
> Subject: [keycloak-user] Questions about OpenID Connect Identity Provider
> I have two questions about Identity Provider configuration in Keycloak.
> 1) I would like to add an Identity Provider and then have this be the only option
> available to the user for authentication. Is there a way to disable the
> username/password authentication and not show it on the login screen?
> 2) Is there a way to redirect to Keycloak and have it immediately redirect to an
> Identity Provider? As an example, let’s say I have two Identity Providers, Google
> and Facebook. In my web application I know that the user wants to log in via
> Google so I want to redirect to Keycloak and tell Keycloak to select the Google
> Identity Provider and redirect to it immediately. Maybe something like my web
> application redirects to keycloak like so:
> and then mykeycloak.org<http://mykeycloak.org> immediately redirects to
> Google. For the user they don’t see the Keycloak page.
> Is there any functionality like the in Keycloak?
> keycloak-user mailing list
I have two questions about Identity Provider configuration in Keycloak.
1) I would like to add an Identity Provider and then have this be the only option available to the user for authentication. Is there a way to disable the username/password authentication and not show it on the login screen?
2) Is there a way to redirect to Keycloak and have it immediately redirect to an Identity Provider? As an example, let’s say I have two Identity Providers, Google and Facebook. In my web application I know that the user wants to log in via Google so I want to redirect to Keycloak and tell Keycloak to select the Google Identity Provider and redirect to it immediately. Maybe something like my web application redirects to keycloak like so:
and then mykeycloak.org<http://mykeycloak.org> immediately redirects to Google. For the user they don’t see the Keycloak page.
Is there any functionality like the in Keycloak?
I have two keycloak client one is a public client using implicit flow and
authenticating the user via a redirect and then once the user is
authenticate the client receives a token.
This token is then passed to a REST based backend service which validate it
before providing access to the API data.
I am looking for more information on how does a bearer only client
client. I will also be interested to understand more about the relationship
of these two clients based on scope to make this setup work