Violation in Password Change Form results in System Error using a user defined jpa storage provider
by Andreas Sättler
Hello,
we are using a user defined storage provider for our application
postgres db defined as ejb similar to
https://github.com/keycloak/keycloak-quickstarts/tree/latest/user-storage....
<https://github.com/keycloak/keycloak-quickstarts/tree/latest/user-storage...>
On the other hand we want to use keycloaks's password update forms
including password policy configured in keycloak.
The policies are checked in the upgradeCredential method and in case of
violation a ModelException is thrown.
But unfortunately the exception is caught as
javax.ejb.EJBTransactionRolledbackException in
org.keycloak.services.resources.account.AccountFormService#processPasswordUpdate:
2019-08-14 17:16:54,973 ERROR [org.keycloak.services] (default task-2)
KC-SERVICES0065: Failed to update Password:
javax.ejb.EJBTransactionRolledbackException: invalidPasswordMinLengthMessage
at
org.jboss.as.ejb3@16.0.0.Final//org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInCallerTx(CMTTxInterceptor.java:203)
at
org.jboss.as.ejb3@16.0.0.Final//org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:364)
at
org.jboss.as.ejb3@16.0.0.Final//org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:144)
at
org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at
org.jboss.as.ejb3@16.0.0.Final//org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
at
org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at
org.jboss.as.ejb3@16.0.0.Final//org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47)
at
org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at
org.jboss.as.ejb3@16.0.0.Final//org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100)
at
org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at
org.jboss.as.ejb3@16.0.0.Final//org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
at
org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at
org.jboss.as.ejb3@16.0.0.Final//org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
at
org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at
org.jboss.as.ejb3@16.0.0.Final//org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
at
org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at
org.jboss.as.ee@16.0.0.Final//org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
at
org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at
org.jboss.invocation@1.5.2.Final//org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
at
org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at
org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
at
org.wildfly.security.elytron-private@1.8.0.Final//org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:618)
at
org.jboss.invocation@1.5.2.Final//org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
at
org.jboss.invocation@1.5.2.Final//org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
at
org.jboss.invocation@1.5.2.Final//org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
at
org.jboss.as.ee@16.0.0.Final//org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
at
org.jboss.as.ee@16.0.0.Final//org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185)
at
org.jboss.as.ee@16.0.0.Final//org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81)
at
deployment.keycloak-ofbiz-provider-ear.ear.keycloak-ofbiz-provider.jar//com.zyres.keycloak.storage.OFBizUserStorageProvider$$$view2.updateCredential(Unknown
Source)
at
org.keycloak.keycloak-services@6.0.1//org.keycloak.credential.UserCredentialStoreManager.updateCredential(UserCredentialStoreManager.java:168)
at
org.keycloak.keycloak-services@6.0.1//org.keycloak.services.resources.account.AccountFormService.processPasswordUpdate(AccountFormService.java:577)
...
Caused by: org.keycloak.models.ModelException:
invalidPasswordMinLengthMessage
at
deployment.keycloak-ofbiz-provider-ear.ear.keycloak-ofbiz-provider.jar//com.zyres.keycloak.storage.OFBizUserStorageProvider.updateCredential(OFBizUserStorageProvider.java:256)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
...
Therefore the account password change form results in a system error
instead of a model validation.
Do you have any suggestions how to avoid this or is i a bug ?
(we are using keycloak server 6.0.1)
Kind regards
Andreas
6 years, 7 months
External users federation
by Doh A. Ouattara
Hello
We are dealing with a dozen of external third-party applications developed
by different software vendors. We do not have access to their authentication
scheme or application servers.
Is there a way to use Keycloak so that a user will use only one
account/password to authenticate with Keycloak, then Keycloak will make a
second authentication on behalf the user to the third-party application
using the user credentials (mapped) and redirect the user into the target
application?
To be short, can keycloak behave like a password manager or password vault
for external applications?
Is there a way to solve our problem with keycloak?
Kind regards
---
Doh Ouattara
6 years, 7 months
Keycloak configuration on AWS for a large scale
by Ferdous Shibly
Hi,
I am trying to configure Keycloak 6.0.1 on AWS. I need to configure multi
AZ Keycloak cluster for almost seven million active users (growing
everyday). Currently I am using standalone HA with PostgreSQL (RDS). When I
am trying to import all the users from LDAP, the cluster stopped working.
Here are the errors I am getting,
2019-08-08 11:35:21,645 ERROR
[org.infinispan.interceptors.impl.InvocationContextInterceptor]
(timeout-thread--p11-t1) ISPN000136: Error executing command
PutKeyValueCommand, writing keys [task::ClearExpiredEvents]:
org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
waiting for responses for request 76 from keycloak1
at org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
2019-08-08 11:35:32,684 ERROR
[org.infinispan.interceptors.impl.InvocationContextInterceptor]
(timeout-thread--p11-t1) ISPN000136: Error executing command
RemoveCommand, writing keys
[task::ClearExpiredClientInitialAccessTokens]:
org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
waiting for responses for request 81 from keycloak1
at org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
2019-08-08 11:36:14,107 ERROR
[org.infinispan.interceptors.impl.InvocationContextInterceptor]
(timeout-thread--p11-t1) ISPN000136: Error executing command
RemoveExpiredCommand, writing keys
[5d57dd8d-79e0-4ab9-9d8b-60fc570ec8b2]:
org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
waiting for responses for request 85 from keycloak1
at org.infinispan.remoting.transport.impl.SingleTargetRequest.onTimeout(SingleTargetRequest.java:65)
at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
at org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
2019-08-08 11:56:34,720 FATAL [org.infinispan.CLUSTER]
(transport-thread--p13-t2) [Context=sessions] ISPN000313: Lost data
because of abrupt leavers [keycloak1]
2019-08-08 11:56:34,721 INFO [org.infinispan.CLUSTER]
(transport-thread--p13-t2) [Context=sessions] ISPN100008: Updating
cache members list [keycloak2], topology id 6
2019-08-08 11:56:34,739 FATAL [org.infinispan.CLUSTER]
(transport-thread--p13-t2) [Context=clientSessions] ISPN000313: Lost
data because of abrupt leavers [keycloak1]
2019-08-08 11:56:34,740 INFO [org.infinispan.CLUSTER]
(transport-thread--p13-t2) [Context=clientSessions] ISPN100008:
Updating cache members list [keycloak2], topology id 6
2019-08-08 11:56:34,744 WARN [org.infinispan.CLUSTER]
(transport-thread--p13-t2) [Context=work] ISPN000314: Lost at least
half of the stable members, possible split brain causing data
inconsistency. Current members are [keycloak1], lost members are
[keycloak1], stable members are [keycloak2, keycloak2]
at java.lang.Thread.run(Thread.java:748)
Here is the jgroup configuration
<subsystem xmlns="urn:jboss:domain:jgroups:6.0">
<channels default="ee">
<channel name="ee" stack="tcp" cluster="ejb"/>
</channels>
<stacks>
<stack name="tcp">
<transport type="TCP" socket-binding="jgroups-tcp"/>
<protocol type="JDBC_PING"/>
<jdbc-protocol type="JDBC_PING"
data-source="KeycloakDS">
<property name="initialize_sql">
CREATE TABLE IF NOT EXISTS jgroupsping (
own_addr VARCHAR(200) NOT NULL,
cluster_name VARCHAR(200) NOT NULL,
ping_data BYTEA DEFAULT NULL,
PRIMARY KEY (own_addr, cluster_name)
)
</property>
</jdbc-protocol>
<protocol type="MERGE3"/>
<protocol type="FD_SOCK"/>
<protocol type="FD_ALL"/>
<protocol type="VERIFY_SUSPECT"/>
<protocol type="pbcast.NAKACK2"/>
<protocol type="UNICAST3"/>
<protocol type="pbcast.STABLE"/>
<protocol type="pbcast.GMS">
<property name="join_timeout">
60000
</property>
<property name="print_local_addr">
true
</property>
<property name="print_physical_addrs">
true
</property>
</protocol>
<protocol type="MFC"/>
<protocol type="FRAG2"/>
</stack>
</stacks>
> </subsystem>
Any help would be appreciated.
Cheers
Ferdous Shibly
6 years, 8 months
DBusException: "Failed to connect to bus ""Failed to auth""
by Miroslav Beranič
Hi,
I am trying to integrate FreeIPA with Keycloak ( same issue with 6.0.0 and
8.0.0-SNAPSHOT, following line numbers are from master/8.0.0-SNAPSHOT ).
I have issue with User Federation - SSSD Provider being DISABLED.
I run on OpenJDK 8 and Fedora 31.
I run WildFly in Standalone mode, with logging set to DEBUG.
In log server.log error message is written:
"org.freedesktop.dbus.exceptions.DBusException: "Failed to connect to bus
""Failed to auth"". This is from:
org/freedesktop/dbus/Transport.java:811
throw new IOException(getString("errorAuth"));
and
org/freedesktop/dbus/DBusConnection.java:306
throw new DBusException(getString("connectionFailure") + IOe.getMessage());
I guess this error message is not the most correct one ( or meaningful ).
Origin of the error is from:
org/freedesktop/dbus/Transport.java:488 ==>
org.freedesktop.dbus.Transport.SASL#auth, where username "root" is encoded
with stupidlyEncode(username); ( as I am on
JVM8, com.sun.security.auth.module.UnixSystem is not found ).
I get back "COMMAND_REJECTED" and as a result "state = FAILED"
( org/freedesktop/dbus/Transport.java:548 ).
I am able to execute dbus commands:
[root@sso ~]# dbus-send --print-reply --system
--dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe
org.freedesktop.sssd.infopipe.Ping string:PING
Creating home directory for keycloak.
method return time=1565779939.956922 sender=:1.259 -> destination=:1.3491
serial=22 reply_serial=2
string "PONG"
[root@sso ~]# echo $?
0
[root@sso ~]# dbus-send --print-reply --system
--dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe
org.freedesktop.sssd.infopipe.GetUserGroups string:admin
method return time=1565537226.470653 sender=:1.87 -> destination=:1.104
serial=12 reply_serial=2
array [
string "trust admins"
string "admins"
]
[root@sso ~]# echo $?
0
This terminal commands were pointed out as " self test of well configured
system ", but all of this commands work, WildFly/Keycloak on the other hand
rejects SSSD discovery.
Is it possible I am missing some SELinux setting? Is there a way to test
and get to this failure without WildFly -- by using terminal commands, that
I could pinpoint what is the problem.
I was working after steps presented by "Christian Heimes - Identity
management, single sign-on and certificates with FreeIPA" and "scott
poore's blog / How to setup Keycloak".
What am I missing? Is there some test I can run from Keycloak source, to
check beforehand, what is wrong?
Thanks a lot.
Kind Regards,
Miroslav
6 years, 8 months
Keycloak json logs
by Vucomir Ianculov
Hi,
i'm using keyclock server running docker and i want to enable json log format to stdout
if i execute following commands when keycloak is started it will work
/subsystem=logging/json-formatter=json:add(exception-output-type=formatted, pretty-print=false, meta-data={label=value})
/subsystem=logging/console-handler=CONSOLE:write-attribute(name=named-formatter, value=json)
but i want this to be done autmatacly on docker image start, i tryed adding a custom scipt .cli but it dose not work.
dose enyone know who can i do this automaticly ?
Thanks.
Kind Regards,
Vucomir Ianculov
E-Mail: [ mailto:vukomir@ianculov.ro | vukomir(a)ianculov.ro ]
Phone: (+40) 722 - 690 - 514
[ http://ro.linkedin.com/in/vukomir | ]
[ http://www.xing.com/profile/Vucomir_Ianculov ]
6 years, 8 months
Could not modify attribute for DN
by Benjamin Sher
Help! I am using AWS Simple AD. I have my users federated no problem. I can change the password of a user inside the realm no problem. If I impersonate a user or do a password reset and attempt to change the password as the user I receive the "Could not modify attribute for DN [CN=........]
Any thoughts?
6 years, 8 months
Error fromIndex < 0 making no sense
by Sébastien Minne
Hi Guys,
I'm getting this wired error message from keycloak.
I'm running two keycloak instance on the same host, one is fien and the
second one is getting me this :
Caused by: java.lang.IndexOutOfBoundsException: fromIndex < 0: -1
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
java.util.BitSet.nextClearBit(BitSet.java:744)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
org.keycloak.models.sessions.infinispan.initializer.InitializerState.getNextUnfinishedSegmentFromIndex(InitializerState.java:102)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
org.keycloak.models.sessions.infinispan.initializer.InitializerState.updateLowestUnfinishedSegment(InitializerState.java:98)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
org.keycloak.models.sessions.infinispan.initializer.InitializerState.markSegmentFinished(InitializerState.java:94)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
org.keycloak.models.sessions.infinispan.initializer.InfinispanCacheInitializer.startLoadingImpl(InfinispanCacheInitializer.java:187)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
org.keycloak.models.sessions.infinispan.initializer.InfinispanCacheInitializer.startLoading(InfinispanCacheInitializer.java:108)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
org.keycloak.models.sessions.infinispan.initializer.CacheInitializer.loadSessions(CacheInitializer.java:41)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$7.run(InfinispanUserSessionProviderFactory.java:317)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadSessionsFromRemoteCache(InfinispanUserSessionProviderFactory.java:306)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadSessionsFromRemoteCaches(InfinispanUserSessionProviderFactory.java:298)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.access$500(InfinispanUserSessionProviderFactory.java:68)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.lambda$onEvent$0(InfinispanUserSessionProviderFactory.java:127)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransactionWithTimeout(KeycloakModelUtils.java:267)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.onEvent(InfinispanUserSessionProviderFactory.java:121)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:69)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:170)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
java.lang.reflect.Constructor.newInstance(Constructor.java:423)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:152)
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one] ... 31
more
Aug 14 17:23:58 keycloak.srv2 sh[2512]: [Server:server-one]
I've already lost a bunch of hours trying things around but can't figure
out what's wrong
Any piece of advice would be more than welcome
Sébastien
6 years, 8 months
Prevent users from changing email address when email is used as username
by Ales Fuchs
Hello,
We are using Keycloak version 4.8.3 and in our setting we have the option
"Email as username" switched on and "Edit username" switched off.
At the same time we need to let users to log in and change their name in
the account console. Once the name and surname is editable, email can be
changed too, which changes also the username.
The input with email can be hidden, but whoever knows how Keycloak works
can simply add this input and update the username.
Does anyone have any idea how updating of username can be prevented?
Best regards,
Ales Fuchs
6 years, 8 months
Custom password hashing in user federation
by Simon Levermann
Hello,
in our custom user database, we have passwords hashed by bcrypt (or
argon2). As far as I can see we have 2 ways of verifying these passwords:
1) Create a PasswordHashProvider via SPI, and teach it how to use the
hashing algorithms.
2) Include the hashing algorithms as a dependency of our UserProvider,
and do it internally via implementing CredentialInputValidator.
Which of these options is the recommended way to do this?
Cheers,
Simon
6 years, 8 months
Federation of Roles, Groups and Realms
by Simon Levermann
Hello,
we have a user database in form of a license server, which we would like
to use as a source of data for a Keycloak server. I've been able to find
plenty of resources on how to map the *users* into Keycloak via SPI, but
I haven't been able to find much on Roles, Groups and Realms. Are any
(or all) of the three possible to achieve, or do we have to manage these
manually?
The problem is that we would like to have some logical separation of
users into a realm (or a group) per customer, as well as mapping roles
onto licenses for different products. Our current stab at a solution is
an external synchronization service which periodically performs updates
via the Keycloak Admin API, but if possible, we would like to get rid of
this service and perform all the mappings inside Keycloak.
Best regards,
Simon Levermann
6 years, 8 months
