I need to use wildfly as a stateless REST provider (no sticky sessions) so
I configured keycloak wildfly adapter to use cookie as a token store. User
roles in keycloak servers are imported from LDAP (LDAPProvider) and it is a
common situation that a single user belongs to multiple ldap groups (say
30+). Many of these groups decide about users authorization to specific
application functionality so they can't be simply filtered at keycloak
server level. On the other hand passing so many roles (mapped from ldap
groups) in the cookie (KEYCLOAK_ADAPTER_STATE cookie) causes the cookie to
be over 4096 bytes big and exceeds popular browsers' cookie size limit. The
cookie is simply discarded in such situation.
Hance I thought that using keycloak adapter to authentication only and
passing authorization to ldapextended login module at wildfly for
authorization could be a circumvention. However I doubt if such an idea
would work as it doesn't look like there is a fall back from keycloak
adapter to other authorization methoda on wildfly.
I would appreciate any piece of information if such a configuration is
available without redeveloping keycloak adapter or writting my own login
module for wildfly.
Thanks in advance for help.
Show replies by date