We have a JSP + MVC based application for which we are using keycloak to
For this setup we are using JBoss EAP 6 OIDC client adapter and RH_SSO 7.2
While testing this setup we are facing an issue where we are seeing "*:0*"
characters in the redirect URI when login is triggered and user is
redirected to login page. Once the user logs in, our redirect fails as we
do not have a valid url with :0 symbol.
Has anybody faced such an issue. Please help!
SENIOR SOFTWARE APPLICATIONS ENGINEER
Red Hat IN IT GBD <https://www.redhat.com/>
Pune - India
pulgupta(a)redhat.com T: +91-2066817536
<http://redhatemailsignature-marketing.itos.redhat.com/> IM: pulgupta
We have deployed Keycloak behind a load balancer which is F5. The OIDC
clients are sitting in public network uses "https" for all communications.
The SSL is terminated in F5 and the packets are forwarded to Keycloak (say
on port 8080).
The OIDC client is designed in a such a way so as to use the endpoints
(like "/token" etc) that it receives in the response for the
The problem here is that the .well-known config is responding with URLs
with protocol as "http" for all the endpoints where as client is expecting
protocol with "https". Because of this client is not able to make secure
connection to these URLs.
Question is - how can we have responses for
".well-known/openid-configuration" request return with endpoints with
protocol *"https"* ; like the one mentioned below
We have followed the steps mentioned in the documentation
I.e in F5 added the "x-Forwarded-For" and "x-Forwarded-Proto" and made
the respective keycloak configuration changes as indicated in the
Is there any configuration or setting I might be missing?
I have a usecase with mobile application which is authenticate over
keycloak inside web view.
My concern is caused by "usability" of links generated in certain
actions - for example when user opens verification mail on his phone and
clicks confirmation link he should be "redirected" to moile application
in order to continue over this channel. Once he will finish process
mobile application will be ready to continue.
Another option I see is custom flow, however I am a little bit concerned
given that there are several flows which needs to be ammended and they
do generate HTML output in most of cases which needs to be kept.
What come to my mind is custom SPI, which could be added to keycloak.
Such SPI which would allow to register custom JAXRS filters for
request/response processing. By this way it would be possible to have a
very generic way to customize request handling without necessity to
amending default workflows.
Reason why I include dev mailing list is to see, if there would be
interest in having such extensibility provided by keycloak.
Has anyone successfully been able to secure and/or call RemoteEJBs using
KeyCloak tokens for authentication & authorization?
I've looked at several quickstarts that show how to inject the KC Token in
the EJB context at the client side, and retrieve it at the server side. So
the call to the EJB can be secured/validated with the KC token.
However, when the RemoteEJB proxy calls the server EJB, it sets up a
remoting connection and needs to authenticate itself. The quickstarts I've
seen use either JBOSS-LOCAL-USER or a user inserted into the
application-users.properties file. In either case, they are not using the
KC token for authentication.
How do I authenticate that connection handshaking using the KeyCloak
The REST api for create user does not seem to be reading the groups.
I looked at the source code and it seems to be no looking at the groups in
this case. However, when a user is imported groups are taken care of.
Is there a reason for this difference or is it a defect?
Hi all, Keycloak newbie here. I'm about 90 percent of the way to having a
configuration that works the way I want it to, but the other 10 percent is
giving me a lot of trouble.
The short version: I am wondering if anyone has found a way to pull
information from SSSD about users who have authenticated using an external
Here's the longer version:
* We have an external identity provider we want to make available to users
logging in via our Keycloak server. This part works exactly as expected.
* We have a local LDAP server with group membership information about those
users. The external IdP doesn't know about these groups, and unfortunately
we are unable to push this information up to it.
* Because the schema is kind of weird in our LDAP installation, this group
information is currently being pulled into Keycloak via the SSSD
* We need users logging in via the IdP to have the group information from
SSSD included in the assertion passed along to the protected application.
Right now, the workflow to make this happen is spread out over multiple
1. A user logs in via the Keycloak login page, using credentials
authenticated via SSSD.
2. The first time the user logs in, their user is created in Keycloak, and
their group information is (accurately!) pulled in via SSSD.
3. The user would then log out, eventually return to the Keycloak login
page, and log in via the external identity provider instead. THIS is the
way we want users to log in for the most part.
4. The user would be sent back to Keycloak, which would think it was a new
person until the user specifies the username that was created in step 2.
The two accounts are merged.
So, at the end of this process, a user is able to log in via the external
identity provider, and have their group information pulled from SSSD once
they authenticate. This is possible because they basically created two
accounts and linked them together manually, in step 4 above.
**We are trying to find a way to have that linkage happen automatically.**
The basic flow, in theory, would be that the user logs in for the first
time via the external IdP, and then we would just use SSSD to map groups to
that user. Is that possible? I'm not aware of a way to bulk-import users
from SSSD into Keycloak; is that the part that would be required?
Thanks very much for your time, and for reading all the way to the bottom
here. Looking forward to chatting about it.
I am securing a spring-boot (client) application with keycloak behind
a corporate web proxy and somehow this application cannot load JVM web
proxy settings. Is there a way to tell spring-boot-keycloak adapter to load
the proxy settings ? Otherwise I am always getting `Unknownhostexception`
because my app cannot resolve the dns name. Any Help ?
Sent from: http://keycloak-user.88327.x6.nabble.com/
We're using Keycloak 3.4.2.
We're getting Page has expired page on Forget Password Flow after
submitting your username. Below are the steps that we are following:-
On clicking "Forgot Password?" from Login screen
Redirects to "Forgot Your Password?" screen, where it accepts username and
allow to submit the form.
Shows "Page has expired" screen with two options:-
To restart the login process Click here .
To continue the login process Click here .
Please advise, what is wrong with our Keycloak configuration.
I was considering a removal of as7 adapter (EAP6 adapter stays) and also
wildfly8 adapter. AFAIK there was just few downloads of those in the
I'm working on different test framework for adapter tests and IMO there
is a waste of time to put an effort into those.
Any concerns or ideas?