Hello Keycloak Users!
We are planning on using the Client Registration flow for setting up
clients on login.
This is mainly to more clearly identify each individual device a user
has logged in with.
Are there anyone using this feature in production with a large number
With our current stats, we would probably end up with a few million
clients by the end of the year.
1. Will this scale well with the way Keycloak works?
2. If a user loses their device, how should a full revoke & logout be performed?
3. Is there an alternative approach to give each user more control
over their device and session?
I am building a multi-tenant mobile application that uses keycloak as a SSO server. We will pre-load users in keycloak using their email address as their username with a separate realm for each tenant. When a user logs into the mobile app I need to detect the realm from a user's email domain and redirect to the appropriate authorisation end point for the realm. Has anyone faced a similar problem?
My thoughts at the moment is to build a proxy api that the mobile application redirects to that prompts the user for their email address, look up the configured tenant form the email domain and redirects to the appropriate realm's login page passing the mobile app credentials it passes to the proxy api and the entered user email as a login_hint.
Can anyone see any issues with this approach? Or a suggest a better approach?
I'm working on a multi tenant project where usernames are actually their email addresses and the domain of the email serves as a tenant identifier.
Now in Keycloak I'll have different realms per tenant, but I want to have a single login page for all tenants and the actual realm that will do the authentication to be somehow resolved by the username (email address).
How do I go about doing that?
Best regards, Pedro.
Hello all,I’m working on an organization-based service and want to have resource-specific permissions that are restricted by (from a user perspective) organization-specific roles. Since I’m not familiar with the specific terminology, I’m thinking of something similar to how GitHub manages their permissions:- A single user can be a member of multiple organizations- A user can have a different roles with different organizations that grant them access to all of an organization's resources- A user can have access to a specific resource- That organization-specific role determines access to different organization resourcesAre there any best practices or patterns for this model? Thanks!Justin
I'm trying to sync the LDAP groups into Keycloak but it doesn't update the
membership if I add or remove it from a group in LDAP.
I was able to sync the groups and its users into Keycloak correctly if
those wasn't provisioned before. For example, if the user already exists in
Keycloak DB (provisioned from LDAP) and I remove it from a LDAP group (also
provisioned from LDAP), the user in Keycloak continues to being a member of
the group in the Groups tab of user's details screen and in client's group
mappers. However, if I open the Members tab of group's details screen the
user was removed from the group.
Is there any way to solve this problem? Because of my company policy I
can't use Keycloak to manage the groups.
I'm using Keycloak 2.5.1.
Thanks for the help
Dear Keycloak users.
I am very new to keycloak and I really like it. it is great.
I am currently migrating a legacy app ( using it's own user management ) to
I have set-up keycloak with openid connect and it works very well. At this
point we need to decide
if we will use keycloak as our main user store or we will set-up an LDAP.
My question is that. Is keycloak designed in a way that it can fullfil all
the responsibilities of the main user store?
Any risk with this at all?
ps: our userbase is small and at this point I am not sure if we want to add
ldap just for this.
*Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I *
I'm using a keycloak tomcat SAML adapter and I have a question related to
?GLO=true way of logging-out (since Tomcat doesn't implement full JavaEE
stack, request.logout() is not the way to go, right?).
When I use GLO=true, my session inside the Keycloak is indeed invalidated
however the local session in Tomcat is not.
When I try session.invalidate() and then redirect to GLO=true, sometimes my
protected page still can be loaded.
Is there a robust documented way to do the logout with help of Keycloak
SAML tomcat adapter?
we have a requirement to set the jndi datasource name on a UserFederation
provider when added to a realm to support connecting different realms in
the same Keycloak server to different databases. Been through the examples
and read a few emails from around 2016 in the developer list but do not
find anyone who'd actually done this before. we could create a user managed
EntityManagerFactory within the federation provider factory but the
question is then how can we inject it into the container context and enlist
our transactions in the JTA?
Has anyone ever had to implement something like that?