Keycloak behind reverse proxy
by Nikola Malenic
I configured mutual-ssl authentication on Keycloak. That means that user
coming to Keycloak does SSL handshake allowing Keycloak to extract data from
client certificate and map that data to an existing user at Keycloak, and
based on that authenticate the user.
Now, I need to configure reverse proxy in front of Keycloak. I'm using
Apache's httpd.
The problem is that user's browser now does SSL handshake with the reverse
proxy server instead of Keycloak and sends plain http request, disabling
Keycloak to map and authenticate the user.
Is there a proposed method to achieve this?
Can I configure some reverse proxy (maybe not httpd) to proxy requests on
the transport layer?
Or should I somehow configure Keycloak for this?
Maybe configure the proxy to be KC's client and do the authentication
somehow?
Many thanks,
Nikola
5 years, 10 months
Keycloak revoke endpoint
by Ravi Shankar Nori
Hi,
I am working on integrating oVirt Engine with Keycloak as an external
authentication
provider. In oVirt we have Java/Ruby/Python SDKs that need to obtain a token
directly from Keycloak and then revoke the token at the end of the session.
I see Keycloak has a logout endpoint that takes the refresh token to perform
logout. Is there another endpoint that can take the access token to perform
the
logout like a "revoke" endpoint?
Thanks,
Ravi
5 years, 10 months
Keycloak email behind reverse proxy
by Nikola Malenic
Hello,
I want to send an email to the user to update his password after he gets
created using Keycloak's API.
One note: I am doing user creation in different application than Keycloak
and then call Keycloak in Admin client's name.
Here is how I do this currently:
userRessource.get(id).executeActionsEmail(Arrays.asList("UPDATE_PASSWORD"));
The problem is that I have a reverse proxy in front of KeyCloak, so users
won't be able to access Keycloak at all. And email that is sent has url
pointing to Keycloak's address.
Is there a way to configure Keycloak to somehow send email with url pointing
to the reverse proxy?
Thanks in advance,
Nikola
5 years, 10 months
start up of keycloak nodes roughly increases two folds for every 100 tenants.
by Madhu
Hi I am using keycloak 4.5. i created about 600+ tenants with 50 users each for a performance testing.
Upon creating tenants the start up time of keycloak increases drastically. This seems to be due to pretty much all entities at start up..
I tried disabling realm cache, user cache and did not help.. can you suggest how to bring down the start up time?
Is it absolutely necessary for keycloak to load every thing at start up??
This is an extract from hibernate stat i got on a c4 xlarge ec2 instance ( 4 core 8 gig), keycloak configured with xms=xmx=5g.
018-11-24 10:33:19,998 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool – 61) Envers integration enabled? : true
2018-11-24 10:33:20,499 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool – 61) HV000001: Hibernate Validator 5.3.6.Final
2018-11-24 10:33:21,296 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool – 61) HHH000397: Using ASTQueryTranslatorFactory
^C
[centos@ip-172-31-45-199 log]$ 11:10:45,750 INFO [org.hibernate.engi ne.internal.StatisticalLoggingSessionEventListener] (ServerService Th read Pool – 61) Session Metrics {
669457663 nanoseconds spent acquiring 92974 JDBC connections;
148185664 nanoseconds spent releasing 92974 JDBC connections;
1852958902 nanoseconds spent preparing 92974 JDBC statements;
35866600579 nanoseconds spent executing 92974 JDBC statements;
0 nanoseconds spent executing 0 JDBC batches;
0 nanoseconds spent performing 0 L2C puts;
0 nanoseconds spent performing 0 L2C hits;
0 nanoseconds spent performing 0 L2C misses;
543461113 nanoseconds spent executing 2 flushes (flushing a total of 227216 entities and 158902 collections);
2197548626817 nanoseconds spent executing 14139 partial-flushes ( flushing a total of* 1042012050 entities and 1042012050 collections*)
}
11:10:45,780 INFO [org.hibernate.engine.internal.StatisticalLoggingS essionEventListener] (ServerService Thread Pool – 61) Session Metric s
{ 7689387 nanoseconds spent acquiring 1 JDBC connections; 34263 nanoseconds spent releasing 1 JDBC connections; 8025969 nanoseconds spent preparing 1 JDBC statements; 909784 nanoseconds spent executing 1 JDBC statements; 0 nanoseconds spent executing 0 JDBC batches; 0 nanoseconds spent performing 0 L2C puts; 0 nanoseconds spent performing 0 L2C hits; 0 nanoseconds spent performing 0 L2C misses; 3525215 nanoseconds spent executing 3 flushes (flushing a total o f 3 entities and 0 collections); 0 nanoseconds spent executing 0 partial-flushes (flushing a total of 0 entities and 0 collections)}
11:10:45,795 INFO [org.hibernate.engine.internal.StatisticalLoggingS essionEventListener] (ServerService Thread Pool – 61) Session Metric s {
437680 nanoseconds spent acquiring 1 JDBC connections;
10539 nanoseconds spent releasing 1 JDBC connections;
465001 nanoseconds spent preparing 1 JDBC statements;
719260 nanoseconds spent executing 1 JDBC statements;
0 nanoseconds spent executing 0 JDBC batches;
0 nanoseconds spent performing 0 L2C puts;
0 nanoseconds spent performing 0 L2C hits;
0 nanoseconds spent performing 0 L2C misses;
0 nanoseconds spent executing 0 flushes (flushing a total of 0 en tities and 0 collections);
17455 nanoseconds spent executing 1 partial-flushes (flushing a total of 0 entities and 0 collections)
All My 600 +realms are pretty much same i.e. each realm has a client scope, a java script mapper (to get all the realm roles into resouce role),couple of attribute mappers, 2 users groups ( 1 for admins) and 1 for other users. i have about 50 users in each realm and all the user belongs to one of the 2 user groups ( no custom roles though)..
Also, I bench marked the start up time after creating 50 or 100 realms and the start up time increases as the number of realms increases .
I am able to manage as i have disabled the admin console and use rest endpoints.. but still the start up time and loading pretty much every thing seems little wiered.
Please correct my understanding if i am wrong here..
| No of Realms | Start up time in mins |
| 0 realms | 0.22 mins |
| 100 realms | 2.34 mins |
| 200 realms | 2.53 mins |
| 300 realms | 5.34 mins |
| 400 realms | 9.42 mins |
| 500 realms | 14.6 mins |
| 650 realms | 37 mins |
Like wise the time taken to create tenants too gradually increases ( i use import to create realms)
from about 3 seconds for first few realms to about 30 sec for 600th realm..
Any advise /help will be appreciated.
5 years, 10 months
deciding on using keycloak or not
by subscription sites
Hi there,
Just a general question: I'm currently deciding on which opensource
SSO-solution I should use in a project.
>From what I can gather, Keycloak has all the features I need.
There is however one caveat here: the recent acquisition by IBM. I'm
wondering if there could be a potential consequence for keycloak and if so,
what could it be? Could the project be completely cancelled? Could the
product disappear altogether or fall without any support?
I know that there probably isn't any clear information about this, even at
IBM/Redhat internally at the moment, but I don't want to choose a product,
integrate multiple applications with it and then get stuck in a year or so
having to do it all over again.
Any ideas/input?
Kind regards,
P.
5 years, 10 months
Custom message in authenticator script
by Vagelis Savvas
Hello,
I have created a theme and extended the base login form with an extra
input field.
I've also created a Script Authenticator that checks the value of the
extra field and permits or not the authentication.
My authenticator script runs after the builtin 'Username Password form'
(Browser flow).
Now I would like to do two things when authentication fails because of
my script:
1. Use a custom i18n error message instead of showing one of the
messages of the builtin AuthenticationFlowError. Is there a way to do so?
2. Stay on the login page and show the error message instead of being
sent to a 'We're sorry...' page with a link back to the login form.
For instance the builtin 'Username Password form' stays on the login
form with an error message when authentication fails which is nice and
clean.
Currently I fail the authentication with 'context.clearUser();
context.failure(AuthenticationFlowError.INVALID_CREDENTIALS);'
but I've tried various methods from 'context' without achieving either 1
or 2 of my requirements.
Cheers,
Vagelis
5 years, 10 months
Expire active token when user session if logged out
by Himalaya Gupta
Hi,
My Client is ReactJS Application using keycloak javascript adaptor
I am trying the below scenario:
1. Login to client application via keyclock server and retrieve the
access-token in the client
2. Login to the Key-Clock Admin console and logout the active session
for the user for the given client.
3. On the client application i observe the following: The token is still
valid as it has not expired.When the token expires, the refresh token
request is stuck in refreshing the token (probably stuck as the user is
forcefully logged-out via AdminConsole)
Can you please let me know if there is a way to detect the Inactive session
and force the user to login even if the token is still valid via the
JavaScript API?
When trying to refresh the token and if the user session is logged out,
should the keycloak server just return an error instead of pending
response. Could this be a bug?
Any help would be appreciated in this regard. Thank you
--
Best regards,
Himalaya Gupta
5 years, 10 months
Keycloak Multi Tenancy implementation with login through javascript (a webpage)
by Vikram
Hello all,
I want to assign different realms to different clients (organisations)
in keycloak. The login to keycloak is achieved through a webpage which
acquires a valid token from keycloak which is then passed with the rest
requests that I make from my website to a springboot server that uses a
keycloak adapter for authentication.
Now, the javascript adapter needs a keycloak configuration file that has
details about the realm that I want to log in to. But, the problem is
that I do not know which realm the user belongs to because he / she can
be from any organisation ie. the login page for all organisations is the
same.
What is the best way to achieve this ? I assume that this kind of
approach is quite common these days but cannot find a solution..
Regards,
Vikram
5 years, 10 months
Add user with a pre existing client role and group through Java
by Vikram
Hi,
I am trying to add a user with a pre existing client role and group
through java code in my springboot server. I want to achieve this
through a logged in user that can only see / manage the users of his/her
group and also the new created user should be assigned a group and a
client role on creation. The group should be the same as the group of
the user that is logged in and the client role could be hardcoded.
Thanks,
Vikram
5 years, 10 months