November 2018 - keycloak-user - Jboss List Archives

by Mike Wakim

Hello, When the Keycloak server is started for the very first time, it automatically creates a master realm with default configurations. Is it possible to customize some of these default configurations during / prior to the initial deployment? For example, I want to change the master realm such that each time a keycloak server gets deployed, the master realm by default has some password policies (e.g. password expiry enabled). I know that I can override the master realm with a JSON that has the configurations that I need using -Dkeycloak.migration.file=master-realm.json and -Dkeycloak.migration.strategy=OVERWRITE_EXISTING, but I'd like to avoid the overwrite and have the custom configurations applied upon the initial creation of the master realm if possible. Does anyone have any thoughts on this? Thanks! Mike

7 years, 4 months

1
0
0 / 0

(no subject)

by Max Allan

Hi, I just installed 4.6.0-Final and started to configure a new site. I cannot see the "Script" authentication execution type in the drop down menu. I compared it with 4.5 and can see where it should be. They're still in the documentation : https://www.keycloak.org/docs/latest/server_admin/index.html#executions Is there some new/different config required to make them work now? I read the upgrade notes, even thought this is a new deployment. I found some references to JavaScipt. Not a language I have heard of before. https://www.keycloak.org/docs/latest/upgrading/index.html#javascipt-adapt... I wonder if it is similar to JavaScript.. But no mention of script authentication executions. Any ideas? Thanks, Max

7 years, 4 months

3
3
0 / 0

krbLastPwdChange - can we use this attribute

by Callum Smith

Dear Keycloakers, I was wondering, if Keycloak can accept the pwdLastSet from MSAD, why can it not use krbLastPwdChange from FreeIPA to allow for better integration of password resets? Surely this is possible and potentially even trivial to implement? Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. callum(a)well.ox.ac.uk<mailto:callum@well.ox.ac.uk>

7 years, 4 months

2
3
0 / 0

Internet facing Keycloak, security best practices ?

by Mathieu Poussin

Hello. Is there any king of best practices on how to deploy and secure an internet facing Keycloak instance ? So far I've been doing some filtering on my reverse proxy : - Limit /auth/admin to trusted IP - Block = /auth (The default auth page) But I suppose there are maby other things that can be done ? I could not find any official documentation. Thanks.

7 years, 4 months

1
0
0 / 0

Issue in client admin- management

by Dhara Basida

Hey, I have created realm admin through which I created client and assigned client admin to one user.Now I logged in the system through that client admin but I am unable to manage that client. I had referred the below link for managing this client admin, https://www.keycloak.org/docs/latest/server_admin/index.html#_admin_permi... As seen in the snap shot, when I click on any horizontal tab,I am getting a page with message Forbidden. Please provide the steps through which I can manage the roles and permission for users through client admin login. Thanks and Regards, Dhara Basida

7 years, 4 months

1
0
0 / 0

Feature request : Support having large number of clients (KEYCLOAK-8275)

by Andrea Pasqualini

Actually keycloak lacks support for large number of clients (over 10K) Keycloak Version 3.4.6 keeps all clients in memory and reloads them all (one by one) each time a client is added or deleted, this behavior causes performance and deadlock issues (https://issues.jboss.org/browse/KEYCLOAK-3210). In the following use cases : .Mobile application instances dynamically registering themselves to get installation-specific credentials .Clients registering with the OAuth server from a developer portal or API management system Support for large number of clients is not an option If you are interested vote for this feature here https://issues.jboss.org/browse/KEYCLOAK-8275 Regards Andrea Pasqualini

7 years, 4 months

1
0
0 / 0

Issues when modifying account.ftl

by So Be

Hi, I added some attributes to registration page by following this link https://www.keycloak.org/docs/latest/server_development/index.html#modify... but I got this error: Caused by: freemarker.core.ParseException: Syntax error in template "account.ftl" in line 54, column 171: 11/28/2018 10:22:28 AMUsing ?html (legacy escaping) is not allowed when auto-escaping is on with a markup output format (HTML), to avoid double-escaping mistakes. 11/28/2018 10:22:28 AM at freemarker.core.FMParser.BuiltIn(FMParser.java:1188) .... Best, Sofiane.

7 years, 4 months

2
1
0 / 0

http connection/session timeout

by Phillip Fleischer

Hi, We use new relic APM to monitor keycloak and seems that on occasion there will be transactions running for ~30min which seems to be exceptionally long. We already lowered our database transaction timeouts, but thinking we should also add/change the wildly servlet timeout timeout from the default of 30 minutes. <servlet-container name="default" default-session-timeout="1"> <jsp-config/> <websockets/> </servlet-container> I can’t see this being related to any of the “keycloak session” timeouts, just wondering if anyone would know if this is a terrible idea?? — Phil

7 years, 4 months

1
1
0 / 0

Auto refresh ADFS federation metadata.xml?

by Rens Verhage

Hi all, Can Keycloak automatically detect changes in metadata of SAML providers by polling the metadata URL? I’m asking because our clients regularly change their certificates and it would be nice not having to update them manually every time :) Rens

7 years, 4 months

1
0
0 / 0

Failed to replace entity

by Nicolas Ocquidant

Hi I am currently testing KC and I get WARN messages in my console when I try to refresh tokens. 11:42:54,245 WARN [org.keycloak.models.sessions.infinispan.changes.InfinispanChangelogBasedTransaction] (default task-1) Failed to replace entity '9c206d08-8542-4385-ad97-61ae61ee4e00' in cache 'sessions' Steps to reproduce : - start KC 4.6.0.Final - populate KC using the admin web console : realm=SpringBootKeycloak, client=login-app, role=user, user=user1/user1(role user) - use curl to login user1 : tmp=$(curl -s -d "grant_type=password&client_id=login-app&username=user1&password=user1" -X POST -H "Content-Type: application/x-www-form-urlencoded" http://localhost:8180/auth/realms/SpringBootKeycloak/protocol/openid-conn...) && refresh_token1=$(echo "$tmp" | jq -r '.refresh_token') && echo "$tmp" | jq . - use curl to refresh tokens of user1 : curl -s -d "grant_type=refresh_token&client_id=login-app&refresh_token=$refresh_token1" -X POST -H "Content-Type: application/x-www-form-urlencoded" http://localhost:8180/auth/realms/SpringBootKeycloak/protocol/openid-conn... | jq . My config is as follow : <distributed-cache name="sessions" owners="2" statistics-enabled="true" remote-timeout="600000"> <state-transfer timeout="36000000"/> <binary-memory eviction-type="COUNT" size="30000"/> <expiration lifespan="86400000" interval="120000"/> <jdbc-store data-source="InfinispanDS" dialect="POSTGRES" fetch-state="true" passivation="true" preload="false" purge="false" shared="false" singleton="false"> <table prefix="ISPN_mbd_node1"> <id-column name="ID_COLUMN" type="VARCHAR(255)"/> <data-column name="DATA_COLUMN" type="BYTEA"/> <timestamp-column name="TIMESTAMP_COLUMN" type="BIGINT"/> </table> </jdbc-store> </distributed-cache> Shall I fill a Jira? Thanks, --nick

7 years, 4 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user November 2018