Differences between userinfo and user profile
by Robert Parker
Hi,
I see I can retrieve a user's profile, but what is the difference when getting the userinfo record? Does the user profile return all properties associated with a user no matter of you have disabled the include in user info flag on the mappers for that field in the client settings in keycloak?
I'm trying to figure out what I can control being returned in the user profile vs the userinfo object.
Thanks
Robert Parker- Front End Developer
Applied Card Technologies Ltd
Cardiff Office
14 St Andrews Crescent
Caerdydd
Cardiff
CF10 3DD
+44 (0) 2922 331860
robert.parker(a)weareact.com
www.weareACT.com
Registered in England : 04476799
6 years, 6 months
Ability to update a user's profile
by Robert Parker
I am making use of the JavaScript adapter to retrieve a logged in users profile.
Is there any way to programmatically update the values of a user's profile? I know there is an account management area the user can be redirected to, but how about being able to set it whilst still in the main client side application?
I have an operation the user can perform whilst logged into our application that could do with updating a custom attribute on the users account in keycloak. Right now it's being persisted in local storage in the browser, it would be great if I could persist against the keycloak user record.
Thanks
6 years, 6 months
Receive "NoClassDefFoundError" during *deployment* not at _runtime_ with/by java class derivation.
by Christian Kayssner
Hallo,
I would extend a keycloak core class 'org.keycloak.authentication.authenticators.browser.UsernamePasswordFormFactory'. The idea was, to get an additional field in the first form.
For the first tests, I changes the shipped providers/authentication example.
The derivation factory class become the name 'org.example.derivations.MyUsernamePasswordFormFactory'.
I checked the java visibilities (Nothing protected or private or final).
The core class reside in the artefactId 'keycloak-services', and the pom file has a direct dependency entry.
Eclipse (the maven-plugin) is satisfied.
But if I deploy the example, I get a 'NoClassDefFoundError' exception.
The base is the 'https://downloads.jboss.org/keycloak/3.2.1.Final/keycloak-demo-3.2.1.Fina...' archive.
For comprehending, you will:
a) display my colored logfile (cat ./keycloak-demo-3.2.1.Final.log) from the attachment, or (for see yourself) you
b) need:
1. a current linux system with network name resolution, *working* maven and _without_ running keycloak/wildfly service,
2. a directory of your own choice to hold all necessary files (space about 410MB),
3. the above mentioned keycloak archive,
4. and the unpacked attachment.
Then you have to open two terminals, go in both to your chosen directory, and:
* start in the first terminal the preparing/patching step: ./01.patch.it
This bash-script
o remove the (last) ruins (for the second and more run(s)),
o provide the original keycloak environment,
o do the necessary patches,
o and start the standalone keycloak service.
* If the keycloak service is started, start in the second terminal the deployment: ./02.deploy.it
This bash-script
o move to the chosen example,
o and start the maven deploy.
At this point you can see, how the deployment will fail!
Does anyone have an idea why the *deployment* fails?
Have I missed note something?
Or is a derivation, per se, not desired??
Best regards.
Christian Kayssner
--
G. Muth Partners GmbH
Borsigstraße 32
D - 65205 Wiesbaden
HRB 10196 Amtsgericht Wiesbaden
Geschäftsführer: Klaus Gockel / Oliver Mächold
Tel. : +49(0)6122/5981-0
FAX. : +49(0)6122/5981-50
eMail: christian.kayssner(a)muthpartners.de
www : www.muthpartners.de
6 years, 6 months
Keycloak Policies
by Plunkett McGurk
Hi Guys,
I have a quick question regarding the functionality available within Keycloak policies.
We have a requirement were we need to track the number of calls to a particular resource. If say the number of calls exceed 100 per day for a particular user/role then the ‘policy’ would reject any further access to that resource for that day.
Could this type of requirement be fulfilled through say either the JavaScript or Drools based policies?
Many thanks
Plunkett
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.
6 years, 6 months
Disabling User Account Service
by Jonathan Little
Is there a way to disable access to the self service user management page
(covered here:
http://www.keycloak.org/docs/3.3/server_admin/topics/account.html)? We
have a use case where supposedly we don't want our users to be able to
modify their own username, and password resets can be handled via the
Forgot Password link on the login page.
Or is there at least a way to disable username editing?
I'd think if there were it would be pretty obvious in the admin UI but I
figured I'd ask..
Thanks!
6 years, 6 months
import SAML keys via command line
by Pieter Lukasse
Hi,
I have a .jks file which I would like to import into keycloak using the
command line instead of the "SAML keys" page (in SAML client config page).
I cannot find any command for this here http://www.keycloak.org/
docs/3.3/server_admin/topics/admin-cli.html
Is this just missing or is the documentation incomplete? Can someone help
me on this one?
Thanks,
Pieter
www.thehyve.nl
E pieter(a)thehyve.nl
T +31(0)30 700 9713
M +31(0)6 28 18 9540
Skype pieter.lukasse
We empower scientists by building on open source software
6 years, 6 months
Keycloak client user federation management
by STEFKA Peter OSK
Hello all,
We're thinking of implementing something best described as client user federation management. Our Keycloak instance is used by customers (registered + federated) as well as employees (federated). As such we got a requirement from our security guys to restrict access to certain clients to particular user federation types (user type) on Keycloak.
For example, we don't want the registered users to be able to access our internal systems (clients), these should be accessible only to employees - this could be easily done on client side, however the requirement is to have it "server" side.
If possible, we'd like to have it accepted to main branch eventually (we count on sending a pull request), as such what is the preferred way implementing this?
P. Stefka
6 years, 7 months
migrate users from legacy user storage
by Adrian Matei
Hi guys,
our keycloak uses currently AD as the main user storage provider for
passwords. We need to bind a legacy User Storage Provider and locally
import the users in Keycloak.
I have used the strategy described at Import Implementation Strategy
section
<https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/...>,
and were able to either:
1. keep the password and username in legacy system and take care of
synchronizations
2. remove the federation and update the password in Keycloak DB in the
overridden *CredentialInputValidator.isValid* method with code stolen
from Keycloak own's *PasswordCredentialProvider*
For now I am in favour of the second option, but than it means there are
still *two* user password storages (AD and Keycloak DB)...
My question is whether the second approach sounds reasonable, or is there a
*third* way to "migrate" the password to Active Directory when the
validation is checked?
Cheers,
Adrian
6 years, 7 months
REST APIs for OTP validation and realm creation
by Sajid Chauhan
Hi All,
I would appreciate if anyone would be able to help me out here...
1. Is there a REST api which validates the OTP?
2. Is there a REST api for creating a Realm?
Thanks and regards,
Sajid
6 years, 7 months
How to set Identity Provider by Client
by Dominik Guhr
Hi there,
maybe I am just blind, but reading the docs I see that identity
providers are set on a per-realm-base. So now I'm asking myself if it is
possible to use per-client-based identity providers, and if yes, how to
do so.
Eg. with the js adapter, Client A is being redirected to keycloaks
login, and is allowed to use Google and Facebook as identity provider.
But Client B only shows Twitter and/or Stackoverflow.
Haven't found something about this and hope someone here could help me out!
Thanks in advance,
Dominik
6 years, 7 months
