[keycloak-dev] Keycloak Modules developed for the Cloudtrust project

Stian Thorgersen sthorger at redhat.com
Thu Aug 16 04:30:13 EDT 2018

On Tue, 14 Aug 2018 at 12:03, Doswald Alistair <alistair.doswald at elca.ch>

> Hello,
> I just wanted to let this mailing list know that for the Cloudtrust
> project (https://github.com/cloudtrust), we have developed a certain
> number modules for Keycloak. These are currently compatible with the
> version 3.4.3.Final of Keycloak, but we will make them compatible with
> Keycloak 4.X (where X will be the latest sub-version of Keycloak when we
> start working on this) as soon as we can. These modules are:
> * keycloak-wsfed (https://github.com/cloudtrust/keycloak-wsfed): an
> implementation of the WS-Federation protocol for keycloak. This allows to
> select the WS-Federation protocol for Keycloak clients and for identity
> brokers.

This is great and pleased that you are maintaining this. We simply don't
have the capacity to have this incorporated into Keycloak as we lack
expertise on WS-Fed and have to many other things to maintain.

> * keycloak-authorization (
> https://github.com/cloudtrust/keycloak-authorization): this module allows
> the use of the client authorization system to prevent a user which is
> authenticated in a Keycloak realm to access a given client. It works no
> matter which protocol is used, and without the client having to support any
> extra protocol. Note: this solution is a bit hacky, but necessary for one
> of our use-cases.

Sounds interesting. Can you write some more details about this? In the past
I've considered if we should have something like required roles to use to a
client. That would by not allowing a user to authenticate with a client,
but also could prevent adding audience for a service the user isn't allowed
to access. Could perhaps take it one step further and prevent client scopes
that users are not allowed to access.

> * keycloak-client-mappers (
> https://github.com/cloudtrust/keycloak-client-mappers): a module for
> adding any mappers that we might need that are not yet part of Keycloak.
> Currently only contains a JavaScript mapper for SAML, analogous to the OIDC
> script mapper. I've noticed that there's an open issue for this feature (
> https://issues.jboss.org/browse/KEYCLOAK-5520). If desirable I could
> submit this code not as a module but a solution to the issue.

SAML JavaScript protocol mapper would be great. If you submit with tests
and docs we'd love to have this in.

> * keycloak-export (https://github.com/cloudtrust/keycloak-export): a
> module adding an endpoint to fully export a realm while Keycloak is still
> running (no need for restarts!).

Can you write some more details about this? In the past we've considered
this, but not added it mainly for a few reasons, including:

* What happens if there are changes while doing the export, we where
thinking we'd have to pause the server from receiving requests during this
* We don't want a REST endpoint that can return credentials and other
secrets. Then there's also the size of the export. It would have to store
the export on disc, but then what about clustering. One potential would be
to develop a tool that can be executed from anywhere that has access to the
db. It would use Keycloak code base, but instead of starting a server it
would allow things like running an export from the db, migrate the db, etc.

> Cheers,
> Alistair
> PS: I mailed this to both dev and user mailing lists as I believe it may
> interest members of both mailing lists. However, upon sending to the dev
> mailing list the first time it bounced. This is the second attempt.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list