Default configuration of master realm
by Mike Wakim
Hello,
When the Keycloak server is started for the very first time, it
automatically creates a master realm with default configurations. Is it
possible to customize some of these default configurations during / prior
to the initial deployment?
For example, I want to change the master realm such that each time a
keycloak server gets deployed, the master realm by default has some
password policies (e.g. password expiry enabled).
I know that I can override the master realm with a JSON that has …
[View More]the
configurations that I need using
-Dkeycloak.migration.file=master-realm.json and
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING, but I'd like to avoid the
overwrite and have the custom configurations applied upon the initial
creation of the master realm if possible.
Does anyone have any thoughts on this?
Thanks!
Mike
[View Less]
6 years, 3 months
krbLastPwdChange - can we use this attribute
by Callum Smith
Dear Keycloakers,
I was wondering, if Keycloak can accept the pwdLastSet from MSAD, why can it not use krbLastPwdChange from FreeIPA to allow for better integration of password resets? Surely this is possible and potentially even trivial to implement?
Regards,
Callum
--
Callum Smith
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
e. callum(a)well.ox.ac.uk<mailto:callum@well.ox.ac.uk>
6 years, 3 months
Internet facing Keycloak, security best practices ?
by Mathieu Poussin
Hello.
Is there any king of best practices on how to deploy and secure an internet facing Keycloak instance ?
So far I've been doing some filtering on my reverse proxy :
- Limit /auth/admin to trusted IP
- Block = /auth (The default auth page)
But I suppose there are maby other things that can be done ?
I could not find any official documentation.
Thanks.
6 years, 3 months
Issue in client admin- management
by Dhara Basida
Hey,
I have created realm admin through which I created client and assigned
client admin to one user.Now I logged in the system through that client
admin but I am unable to manage that client.
I had referred the below link for managing this client admin,
https://www.keycloak.org/docs/latest/server_admin/index.html#_admin_permi...
As seen in the snap shot, when I click on any horizontal tab,I am
getting a page with message Forbidden.
Please provide the steps through which I can manage …
[View More]the roles and
permission for users through client admin login.
Thanks and Regards,
Dhara Basida
[View Less]
6 years, 3 months
http connection/session timeout
by Phillip Fleischer
Hi,
We use new relic APM to monitor keycloak and seems that on occasion there will be transactions running for ~30min which seems to be exceptionally long. We already lowered our database transaction timeouts, but thinking we should also add/change the wildly servlet timeout timeout from the default of 30 minutes.
<servlet-container name="default" default-session-timeout="1">
<jsp-config/>
<websockets/>
</servlet-container>
I can’t see this being related to …
[View More]any of the “keycloak session” timeouts, just wondering if anyone would know if this is a terrible idea??
— Phil
[View Less]
6 years, 3 months
Auto refresh ADFS federation metadata.xml?
by Rens Verhage
Hi all,
Can Keycloak automatically detect changes in metadata of SAML providers by polling the metadata URL? I’m asking because our clients regularly change their certificates and it would be nice not having to update them manually every time :)
Rens
6 years, 3 months
Failed to replace entity
by Nicolas Ocquidant
Hi
I am currently testing KC and I get WARN messages in my console when I try
to refresh tokens.
11:42:54,245 WARN
[org.keycloak.models.sessions.infinispan.changes.InfinispanChangelogBasedTransaction]
(default task-1) Failed to replace entity
'9c206d08-8542-4385-ad97-61ae61ee4e00' in cache 'sessions'
Steps to reproduce :
- start KC 4.6.0.Final
- populate KC using the admin web console : realm=SpringBootKeycloak,
client=login-app, role=user, user=user1/user1(role user)
- use curl …
[View More]to login user1 :
tmp=$(curl -s -d
"grant_type=password&client_id=login-app&username=user1&password=user1" -X
POST -H "Content-Type: application/x-www-form-urlencoded"
http://localhost:8180/auth/realms/SpringBootKeycloak/protocol/openid-conn...)
&& refresh_token1=$(echo "$tmp" | jq -r '.refresh_token') && echo "$tmp" |
jq .
- use curl to refresh tokens of user1 :
curl -s -d
"grant_type=refresh_token&client_id=login-app&refresh_token=$refresh_token1"
-X POST -H "Content-Type: application/x-www-form-urlencoded"
http://localhost:8180/auth/realms/SpringBootKeycloak/protocol/openid-conn...
| jq .
My config is as follow :
<distributed-cache name="sessions" owners="2" statistics-enabled="true"
remote-timeout="600000">
<state-transfer timeout="36000000"/>
<binary-memory eviction-type="COUNT" size="30000"/>
<expiration lifespan="86400000" interval="120000"/>
<jdbc-store data-source="InfinispanDS"
dialect="POSTGRES"
fetch-state="true"
passivation="true"
preload="false"
purge="false"
shared="false"
singleton="false">
<table prefix="ISPN_mbd_node1">
<id-column name="ID_COLUMN" type="VARCHAR(255)"/>
<data-column name="DATA_COLUMN" type="BYTEA"/>
<timestamp-column name="TIMESTAMP_COLUMN" type="BIGINT"/>
</table>
</jdbc-store>
</distributed-cache>
Shall I fill a Jira?
Thanks,
--nick
[View Less]
6 years, 3 months
