When the Keycloak server is started for the very first time, it
automatically creates a master realm with default configurations. Is it
possible to customize some of these default configurations during / prior
to the initial deployment?
For example, I want to change the master realm such that each time a
keycloak server gets deployed, the master realm by default has some
password policies (e.g. password expiry enabled).
I know that I can override the master realm with a JSON that has the
configurations that I need using
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING, but I'd like to avoid the
overwrite and have the custom configurations applied upon the initial
creation of the master realm if possible.
Does anyone have any thoughts on this?
I was wondering, if Keycloak can accept the pwdLastSet from MSAD, why can it not use krbLastPwdChange from FreeIPA to allow for better integration of password resets? Surely this is possible and potentially even trivial to implement?
Research Computing Core
Wellcome Trust Centre for Human Genetics
University of Oxford
Is there any king of best practices on how to deploy and secure an internet facing Keycloak instance ?
So far I've been doing some filtering on my reverse proxy :
- Limit /auth/admin to trusted IP
- Block = /auth (The default auth page)
But I suppose there are maby other things that can be done ?
I could not find any official documentation.
I have created realm admin through which I created client and assigned
client admin to one user.Now I logged in the system through that client
admin but I am unable to manage that client.
I had referred the below link for managing this client admin,
As seen in the snap shot, when I click on any horizontal tab,I am
getting a page with message Forbidden.
Please provide the steps through which I can manage the roles and
permission for users through client admin login.
Thanks and Regards,
Actually keycloak lacks support for large number of clients (over 10K)
Keycloak Version 3.4.6 keeps all clients in memory and reloads them all
(one by one) each time
a client is added or deleted, this behavior causes performance and
deadlock issues (https://issues.jboss.org/browse/KEYCLOAK-3210).
In the following use cases :
.Mobile application instances dynamically registering themselves to get
.Clients registering with the OAuth server from a developer portal or
API management system
Support for large number of clients is not an option
If you are interested vote for this feature here
I added some attributes to registration page by following this link
but I got this error:
Caused by: freemarker.core.ParseException: Syntax error in template
"account.ftl" in line 54, column 171:
11/28/2018 10:22:28 AMUsing ?html (legacy escaping) is not allowed when
auto-escaping is on with a markup output format (HTML), to avoid
11/28/2018 10:22:28 AM at
We use new relic APM to monitor keycloak and seems that on occasion there will be transactions running for ~30min which seems to be exceptionally long. We already lowered our database transaction timeouts, but thinking we should also add/change the wildly servlet timeout timeout from the default of 30 minutes.
<servlet-container name="default" default-session-timeout="1">
I can’t see this being related to any of the “keycloak session” timeouts, just wondering if anyone would know if this is a terrible idea??
Can Keycloak automatically detect changes in metadata of SAML providers by polling the metadata URL? I’m asking because our clients regularly change their certificates and it would be nice not having to update them manually every time :)