Data truncation: Data too long for column 'ID' at row 1
by Corentin Dupont
Hi guys,
I'm creating keycloak protection resources by providing my own ID, in order
to map my resources easily with my own database. The naming schema is:
<prefix>-<DB_ID>
However, I get some errors: Data truncation: Data too long for column 'ID'
at row 1
The DB_ID can be long, we didn't think to limit it. If I understand,
Keycloak IDs are limited to 36 characters or something like that? How to
relax this constraint?
Thanks
Corentin
4 years, 5 months
Client Credential Flow With Service User
by Yasiru Tittagalla
Hi all,
I have a web app that I need to secure in an non-interactive way and
there's only a couple of users that have permission to use this client and
I want validate them without going through a login screen.
For now the only plausible flow I can think of is the client credential
flow but it does not incorporate a user, I there a better way to handle
this if so how?
Thank you and regards,
Yasiru.
4 years, 5 months
Extending Keycloak DB schema (JPA)
by Pavel Micka
Hello everyone,
We are in situation, when we need to extend KC data model. The issue is that in our domain some users have a special relation with groups. Its something like "Joe supervises groups 1, 2, 3 (and Joe may not be part of group 1, 2 or 3)".
And since Joe may supervise many groups (hundreds) and we want to have data integrity, we have decided the best approach is to extend KC database schema (rather than misuse user attributes :-)).
We investigated the examples and documentation and found out the following statement:
"This is an unsupported API, which means you can use it but there is no guarantee that it will not be removed or changed without warning."
https://www.keycloak.org/docs/latest/server_development/index.html#_exten...
So we have few questions
1. Is it safe to use this API?
2. If it will be removed, will it be replaced with some alternative API? (or are there already plans to remove this API?)
3. Is there some suggested cleaner way of how to achieve our goal?
Thanks for your help,
Pavel
4 years, 5 months
Adapter - FORM fallback for KEYCLOAK-SAML
by Mark Banierink
Hi all,
With, for instance, SPNEGO it is possible to set FORM as a fallback mechanism. In order to let special users log in using a FORM instead of KEYCLOAK-SAML we intended to apply this kind of behavior to our SAML application too. However, if I add the Keycloak adapter (6.0.1 on Wildfly 13 with Elytron), it overwrites the mechanism defined in the web.xml of the war. This means that when I then try to log in using a form, the mechanism isn't recognized. This behavior seems to come from the KeycloakAdapterConfigDeploymentProcessor. Is this functionality lacking in the Keycloak adapter?
Thanks in advance!
Kind regards,
Mark
4 years, 5 months
Upgrading cross-datacenter replication installation with independent domain controller
by Juan Antonio Farre Basurte
Hello,
I have the following installation and have doubts about the right
procedure to upgrade it:
- Two datacenters
- Keycloak 4.8.3
- A domain clustered installation with one cluster per datacenter
- Cross-datacenter replication using infinispan server 9.3.6.
- A single independent domain controller for both datacenters (the domain
controller has no servers)
- A backup for the domain controller in the other datacenter (also with no
servers)
The domain controller:
Installed in $KEYCLOAK_HOME/domain-controller
Domain configuration in configuration/domain.xml
Host configuration in configuration/host-master.xml
The domain controller backup:
Installed in $KEYCLOAK_HOME/domain-controller
Domain configuration replicated with the --backup option
Host configuration in configuration/host-slave.xml
Each server in each cluster:
Installed in $KEYCLOAK_HOME/domain
Domain configuration replicated with the --cached-dc option
Host configuration in configuration/host-slave.xml
The infinispan server installation is totally equivalent, with its own
domain controller.
I've been taking a look to the migrate-domain-clustered.cli and several
doubts arise:
- Should I apply this script only to the domain controller as domain
configuration will be distributed to the other host controllers? Or
accions are also needed for each slave instance? (Perhaps the script can
perform changes to the host-slave.xml files?)
- The script seems to assume the installation is located at
$KEYCLOAK_HOME/domain. What is the right way to change it to
$KEYCLOAK_HOME/domain-controller?
- The script seems to assume that the host configuration is in the
host.xml file. What is the right way to change it to host-master.xml?
- The script needs the location of the file keycloak-server.json, but my
installation has no such file. Is this file something present in older
versions only? Can I ignore it?
Thank you very much in advance,
Juan
------------------------------------------------------------------------------------------------------------------------------------
Este mensaje va dirigido �nicamente a la(s) persona(s) y/o entidad(es) arriba relacionada(s).
Puede contener informaci�n confidencial o legalmente protegida. Si no es usted el destinatario
se�alado, le rogamos borre del sistema inmediatamente el mensaje y sus copias. Asimismo le
informamos que cualquier copia, divulgaci�n, distribuci�n o uso de los contenidos est� prohibida.
---------------
This message is addressed only to the person (people) and / or entities listed above. It may contain confidential or legally protected information. If you are not the recipient indicated, please delete the message and its copies immediately from the system. We also inform that any copy, disclosure, distribution or use of the contents is forbidden
---------------------------------------------------------------------------------------------------------------
Viewnext, S.A. Domicilio Social: Avda. de Burgos 8-A 28036 de Madrid.
telf: 913834060, Fax: 913834090. Reg. M. Madrid: Tomo 3238, Libro:0, Folio: 78, Seccion: 8�, Hoja M-55112, N.I.F.: A-80157746
4 years, 5 months
ResponseLocation in SAML identity broker
by Leonid Rozenblyum
Hello!
Does keycloak support ResponseLocation for SAML identity broker for Single
Logout?
(see https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
*2.2.2 Complex Type EndpointType *
*ResponseLocation *[Optional] Optionally specifies a different location to
which response messages sent as part of the protocol or profile should be
sent. The allowable syntax of this URI depends on the protocol binding.
We need integrating with an IdP that uses *ResponseLocation *different
from *Location
*and rejects our single logout responses.
Is this feature somehow tunable in keycloak?
4 years, 5 months
Deprecating WildFly adapter container image
by Stian Thorgersen
I propose we deprecate the WildFly adapter container image. I believe very
few if any use it as it is still stuck on WildFly 15 and no-one has
complained.
In general users should modify containers to include adapters, rather us
providing re-distributed versions of containers.
4 years, 5 months
Authorisation and public clients
by Pete Chown
Hello,
I have a public client and I can issue tokens for it. I would like to
be able to use Keycloak for access control as well, so for example I
might give a user the "admin" role and that would cause additional
scopes to be added to their tokens.
Unfortunately it looks as though the authorisation aspect of Keycloak is
only available to confidential clients. First of all, is that correct?
If my understanding is correct, is there some specific security issue
that arises if authorisation is applied to public clients? I can't
think of one, but perhaps I just haven't thought hard enough. :)
Suppose I have a confidential client, but I don't take any steps to keep
the "secret" secure. Is it then equivalent to a public client? In
other words could I work around this issue by making my client nominally
confidential, but not taking steps to conceal the secret? (There are
actually no steps I could take, because my client is just Javascript
running in a web page.)
Thank you for any help you can give, and many thanks to the developers
for this excellent software.
Pete
4 years, 5 months
Per client Registration Flows
by Jeff Wise
I have a need to provide non-web authentication and registration flows. I would like to provide these flows from the same realm as web-based flows. I can use the per client override mechanism to provide my non-web authentication flow, but I don’t see an equivalent for registration. How can I provide a non-web registration flow and a web-based registration flow in the same realm?
4 years, 5 months
enumerate all realms
by Ori Doolman
Hi,
Is there any way (using REST) to get a list of all realms ?
Could not find such an API.
Thanks,
Ori.
----------------------------------------------------------------------
_______________________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure.
If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error.
4 years, 5 months
