I am trying to configure an authentication flow that restricts login to a particular group but initially when I overrode the public client authentication flow, we got this error which indicates the user object was null. Initially script did a user.hasRole, but now does isMember. I only had the script as part of the new flow.
09:51:07,319 ERROR [org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator] (default task-15316) org.keycloak.scripting.ScriptExecutionException: Could not execute script 'restrict-public-db-admin' problem was: TypeError: null has no such function "hasRole" in <eval> at line number 31
I then added in these flows which now authenticate me, but the script doesn't even execute now and always gives me a token.
Cookie - Alternative
Identity Provider Redirector - Alternative
Username Password Form - Required
Script - Required
I setup the following
New role: db-admin. No users have been assigned to this role
New group: db-admin. Assigned db-admin role
I am a member of the group db-admin
New authentication flow: restricted-public
Script: restrict-public-db-admin which only passes authentication when user is a member of the group db-admin
New public client: restricted-public. Authentication Flow Overrides set to restricted-public authentication flow
We have confirmed that -Dkeycloak.profile.feature.scripts is enabled, as per https://www.keycloak.org/docs/7.0/server_admin/#executions
We followed this example https://stackoverflow.com/a/54384513
Are we implementing/using the authorisation flow override incorrectly? How do I restrict a client to users in a group only?
Moving discussion to keycloak-user mailing list.
Did you enable the `scripts`feature using system property
On Mon, Nov 4, 2019 at 7:47 AM Knüppel, Pascal <
> I got a simple problem with the scripts upload feature. I created a
> jar-file as described here (
> and put it into the deployments directory of keycloak. But now the simple
> question... how am I supposed to map these defined script-mappers and the
> authenticator-execution into my configuration within the admin-console?
> the deployment was successful and this is my "keycloak-scripts.json" file
> "authenticators": [
> "name": "authentication-level",
> "fileName": "authentication-level-script-authenticator.js",
> "description": "This script determines the authentication level,
> i.e. the authentication method used to identify the user"
> "mappers": [
> "name": "substitute-roles-mapper",
> "fileName": "substitute-roles-script-mapper.js",
> "description": "maps substitute roles into the access token"
> "name": "authentication-level-mapper",
> "fileName": "authentication-level-script-mapper.js",
> "description": "maps the authentication level into the access token"
> my jar file has the following structure:
> |_ META-INF
> | |_keycloak-scripts.json
> | |_MANIFEST.MF
> I can neither find the authenticator nor the mappers in the admin-console
> and I have no idea how to map them...
> any ideas?
> Best regards
> Pascal Knüppel
> Veranstaltungsvorschau: Besuchen Sie uns...
> 11. Jahrestagung E-Akte | 06. + 07.11.2019 | Berlin<
> Kongress e-nrw | 07.11.2019 | Düsseldorf/Neuss<https://www.e-nrw.info/>
> OMNISECURE | 20.-22.01.2020 |Berlin<https://www.omnisecure.berlin/de/>
> Zukunftskongress Staat & Verwaltung |15.-17.06.2020 | Berlin<
> keycloak-dev mailing list
I'm an un-experienced Keycloak user, using version 7.0.0.
I've managed to setup Keycloak, and login at Gitlab(SAML) and Grafana(OAUTH) via Keycloak.
This seems to work as it should.
The issue i'm now facing is similar to this one<https://stackoverflow.com/questions/54305880/how-can-i-restrict-client-ac...>, how can I restrict client access to only one group of users, and how do I configure Keycloak to allow login through this client only, for both SAML and OAUTH.
However, I can't work with the answers provided, they're unclear and or fuzzy. It's unclear for me what to do.
Can someone explain to me, in an ELI5 fashion, how I need to configure keycloak in order to achieve this functionality?
I have create a custom SPI to authenticate with my existing users that are
stored in an Oracle database. I have also implemented the
ImportedUserValidation interface to sync users if any change were to happen
in the Oracle database for that purpose I have implemented the Validate in
ImportedUserValidation I have put a log message so that I can know which
methods are firing and when. when a user logs in this message is printed
more than 20 times is there a reason for this also happens for
>From what I understood validate method will only be used if there's a
federation link but for non federated users are also going through this.
I have deployed keycloak and keycloak-gatekeeper in kubernetes and running
into a strange issue, that I want to check here.
I have the following architecture. I have a kubernetes ingress, which
forwards all incoming request to a gatekeeper pod. I have configured the
gatekeeper to check for authentication against a keycloak pod. Once the
gatekeeper verifies that the authentication is successful, the requests are
forwarded to a different 3rd pod which has an angular app served from
nginx. I use the default keycloak login page to authenticate my angular app.
Now, this is all fine and everything works fine. When I launch my app, for
the first time, the request initially goes to the gatekeeper, then gets
redirected to the keycloak login page, then after login, my angularapp is
loaded in the browser.
However, in my angular app, in addition to the GET calls in the main thread
using the browser address bar, I also make some POST calls in a thread.
These POST calls too make use of the cookies in the browser and things work
After an initial timeout of about 30 minutes or so, the gatekeeper responds
with a `HTTP 302` for my POST calls because the token is timed out. Now the
gatekeeper also sends me a `Location`, something like:
`/oauth/authorize?state=00000000-0000-0000-0000-000000000001` with a uuid.
In the normal browser GET flow, if this response was obtained, the browser
would do a HTTP GET to the same `location` and it woudl get another `307`
after that and then the original requested url will be loaded. However, in
my case, since the `302` was received for a `POST` call, the browser
attempts to make a `POST
and this gets a `403` error from the gatekeeper (or the keycloak).
I cannot receive `302` in my angular-app and change the HTTP method from
applications to receive the 3XX responses. See:
I want to use the keycloak login screen. I do not mind writing a different
adapter instead of using gatekeeper but I prefer to use the standard
gatekeeper. Now is there a way for a browser application to make GET as
well as POST calls, using a single session, but correctly handle the
Is there something that I am missing ?
One approach that I could think of is, if it is gatekeeper that is
returning the `302` or `307` then I could replace gatekeeper with my custom
adapter built using gatekeeper (or even better contribute a patch to add an
option to gatekeeper) where instead of 3XX I can return a 401 or a (400
with a custom status text) to refresh the Auth token that I have in the
Or is there a better approach ? I believe that using GET and POST calls in
a single app will not be a rare scenario. How do existing users handle
sessions in this case ?
We are looking into implementing cross datacenter replication. In looking at the doc's I see mention of using JBoss Data Grid. Will we need to purchase/license from Red Hat before we can proceed? Is there an alternate option, ie. community Data Grid solution?
Please consider the environment before printing this email and any attachments.
This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system.