keycloak | Go library for accessing the Keycloak API | Identity Management library
kandi X-RAY | keycloak Summary
kandi X-RAY | keycloak Summary
keycloak is a Go client library for accessing the Keycloak API.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- NewKeycloak returns a new instance of Keycloak
- addOptions adds options to the URL query
- SendVerifyEmail sends an email to a user .
- String returns a pointer to a string value
- Bool returns a pointer to a bool value
keycloak Key Features
keycloak Examples and Code Snippets
Community Discussions
Trending Discussions on keycloak
QUESTION
I've tried for many hours now and seem to have hit a wall. Any advice/help would be appreciated.
Goal: I want to authorize the express rest-api (ex client-id: "my-rest-api") routes (example resource: "WeatherForecast") across various HTTP methods mapped to client scopes (examples: "create"/"read"/"update"/"delete"). I want to control those permissions through policies (For example - "Read - WeatherForecast - Permission" will be granted if policy "Admin Group Only" (user belongs to admin group) is satisfied.
Rest-api will not log users in (will be done from front end talking directly to keycloak and then they will use that token to talk with rest-api).
Environment:
- Keycloak 15.1.1 running in its own container, port 8080, on docker locally (w/ shared network with rest-api)
- "my-rest-api": Nodejs 16.14.x w/ express 4.17.x server running on its own container on docker locally. Using keycloak-connect 15.1.1 and express-session 1.17.2.
- Currently hitting "my-rest-api" through postman following this guide: https://keepgrowing.in/tools/kecloak-in-docker-7-how-to-authorize-requests-via-postman/
What Happens: I can login from keycloak login page through postman and get an access token. However when I hit any endpoint that uses keycloak.protect() or keycloak.enforce() (with or without specifying resource permissions) I can't get through. In the following code the delete endpoint returns back 200 + the HTML of the keycloak login page in postman and the Get returns back 403 + "Access Denied".
Current State of Realm
- Test User (who I login with in Postman) has group "Admin".
- Client "my-rest-api" with access-type: Confidential with Authorization enabled.
- Authorization set up:
- Policy Enforcement Mode: Enforcing, Decision Strategy: Unanimous
- "WeatherForecast" resource with uri "/api/WeatherForecast" and create/read/update/delete client scopes applied.
- "Only Admins Policy" for anyone in group admin. Logic positive.
- Permission for each of the client scopes for "WeatherForecast" resource with "Only Admins Policy" selected, Decision Strategy: "Affirmative".
Current State of Nodejs Code:
...ANSWER
Answered 2022-Apr-11 at 18:17So my team finally figured it out - the resolution was a two part process:
- Followed the instructions on similar issue stackoverflow question answers such as : https://stackoverflow.com/a/51878212/5117487 Rough steps incase that link is ever broken somehow:
- Add hosts entry for 127.0.0.1 keycloak (if 'keycloak' is the name of your docker container for keycloak, I changed my docker-compose to specify container name to make it a little more fool-proof)
- Change keycloak-connect config authServerUrl setting to be: 'http://keycloak:8080/auth/' instead of 'http://localhost:8080/auth/'
- Postman OAuth 2.0 token request Auth URL and Access Token URL changed to use the now updated hosts entry:
- "http://localhost:8080/auth/realms/abra/protocol/openid-connect/auth" -> "http://keycloak:8080/auth/realms/abra/protocol/openid-connect/auth"
- "http://localhost:8080/auth/realms/abra/protocol/openid-connect/token" -> "http://keycloak:8080/auth/realms/abra/protocol/openid-connect/token"
QUESTION
I need to integrate keycloak with an existing application. Users log in with username and password. Unfortunately, the application supports case-sensitive usernames and must continue to do so.
When creating the Custom User Storage Provider, at the entry point public UserModel getUserByUsername(String username, RealmModel realm)
I get the username, but it has already been converted to a case insensitive String.
Here is an example which illustrates the situation.
username input received username users in database John Doe john doe john doe, John DoeI am aware that keycloak does not support case sensitive users, but for retrieving the users from the database I need to be able to distinguish the users. Is it possible to access the original input of the username?
...ANSWER
Answered 2022-Mar-24 at 07:18like you noticed correctly, usernames (and also email) are converted to lowercase in Keycloak. This behaviour is introduced by the UserCacheSession
-class. The only way i found to get around this is to disable user caching globally in the Keycloak instance. This can be done by setting the appropriate configuration values inside standalone.xml
, standalone-ha.xml
or domain.xml
(depending on your setup like described here).
The config block should be changed from
QUESTION
We are using keycloak as IDP and have some custom plugins/Spi, we are in process of updating our keycloak instance to version 17 Quarkas distribution and the SPIs began to break (error below) during keycloak build process. I've made sure that there are no keycloak libraries packed as part of jar.
The SPI looks like below and have corresponding entries in Manifest file under Manifest/services/org.keycloak.services.resource.RealmResourceProviderFactory
Custom SPI/plugin
...ANSWER
Answered 2022-Mar-23 at 09:03Remove @Path annotation from class.
QUESTION
I'm trying this for days right now and I'm not sure if i missed something.
I have a Quarkus GraphQL Service , like here : https://quarkus.io/guides/smallrye-graphql
And I have setup Keycloak to secure it.
Now I wanted to create a client with Qute and GraphQL Smallrye client like here : https://quarkus.io/guides/smallrye-graphql-client
The client can connect to the service, but I always get an "Data Fetching Error: io.quarkus.security.UnauthorizedException".
It seems like the GraphQL client is not sending the headers correctly or it doesn't send any ...
Does anyone know how I can tell the client to send the Authorization header from keycloak with every call?
PS: I tested it with a short react frontend and there it's working, so it seems to be an graphql client issue with the headers... Some ideas?
...ANSWER
Answered 2022-Mar-17 at 08:35Not sure if you're using a dynamic or typesafe client, so I'll describe both.
For both types, if you have a key that doesn't change during the life of the application, you can configure that by adding a configuration property like this:
quarkus.smallrye-graphql-client.CLIENT_NAME.header.HEADER_NAME=HEADER_VALUE
(see https://quarkus.io/guides/all-config#quarkus-smallrye-graphql-client_quarkus-smallrye-graphql-client-smallrye-graphql-client)
If the value can change over time, I would probably recommend using the programmatic builder instead of using a statically configured client, like this:
QUESTION
I have a JAX-RS application deployed in WildFly. The application's endpoints shall be protected by Keycloak with Access Type: bearer-only
. This works perfectly fine for WildFly versions up to 24.
Starting from WildFly 25 the Keycloak adapter is deprecated and one should migrate to the new Elytron subsystem. According to this WildFly issue https://issues.redhat.com/browse/WFLY-15485 however the OIDC adapter is not ready yet to work with bearer-only
. But it is mentioned that it should still be possible using the Keycloak Wildfly adapter.
Also the latest Keycloak documentation and this thread in Google Groups states this.
So I installed the adapter from this location and ran the installation script:
./bin/jboss-cli.sh --file=bin/adapter-elytron-install-offline.cli -Dserver.config=standalone-full.xml
When deploying the application I get thte following error message:
java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory
Setup
- WildFly 26 (Jakarta EE 8)
- Keycloak 16.1.1
web.xml
...ANSWER
Answered 2022-Feb-01 at 07:31I finally got it working without the Keycloak adapter, i.e. using the new built-in Elytron subsystem.
oidc.json (located in the WEB-INF
directory)
QUESTION
Using expo-keycloak-auth
https://www.npmjs.com/package/expo-keycloak-auth
I am trying to add the login to an existing screen. I am able to login successfully. I want the user to be able to click a button to navigate to the new screen. this is the code (almost identical to the example on github)
...ANSWER
Answered 2022-Mar-01 at 22:58You have to pass navigation from LoginScreen as prop to Auth component:
QUESTION
My Webapp is deployed in Wildfly 25.0.1.Final and is secured using OpenID Connect (OIDC). WildFly 25 enables you to secure deployments using OpenID Connect (OIDC) without installing a Keycloak client adapter.
It is configured like this:
web.xml
...ANSWER
Answered 2022-Feb-09 at 15:42This is a known issue and documented here: https://issues.redhat.com/browse/ELY-2284
If you upgrade to wildfly 26.0.1 it should be resolved.
QUESTION
I'm generating JWTs for a service for authentication and we're using Keycloak as the OAuth server.
I've set up a realm R, a client C, and a user U. I setup a protocol mapper to include "C" in the "aud". I generated the JWTtoken for U and when I check the payload, I see "aud": ["C", "account"]
. Which is great, I wanted C
to be present. But I do not want "account"
to be present in the "aud"
.
How do I configure this in keycloak? Similarly, the scope reads - "scope": "email profile test-client-rhs"
and I wish to remove "email profile"
from it. I've been googling around a lot and trying out different stuff in Keycloak but I can't get this to work somehow.
ANSWER
Answered 2022-Feb-07 at 22:59I generated the JWTtoken for U and when I check the payload, I see "aud": ["C", "account"]. Which is great, I wanted C to be present. But I do not want "account" to be present in the "aud".
Instead of an audience Mapper you can use a Hardcoded claim
Mapper with:
Token Claim Name
set toaud
Claim value
set toC
Add to access token
set toON
this mapper will override the original claim "aud": "account"
with "aud": "C"
Like so:
How do I configure this in keycloak? Similarly, the scope reads - "scope": "email profile test-client-rhs" and I wish to remove "email profile" from it.
For this you need to go to:
- The realm where the client is
- Go to clients and select the client
- Click on the tab "Client Scopes"
- Remove the scopes
email
andprofile
from"Assigned Default Client Scopes"
like so:
QUESTION
I'm trying to deploy a HA Keycloak cluster (2 nodes) on Kubernetes (GKE). So far the cluster nodes (pods) are failing to discover each other in all the cases as of what I deduced from the logs. Where the pods initiate and the service is up but they fail to see other nodes.
Components
- PostgreSQL DB deployment with a clusterIP service on the default port.
- Keycloak Deployment of 2 nodes with the needed ports container ports 8080, 8443, a relevant clusterIP, and a service of type LoadBalancer to expose the service to the internet
Logs Snippet:
...ANSWER
Answered 2022-Feb-05 at 13:58The way KUBE_PING works is similar to running kubectl get pods
inside one Keycloak pod to find the other Keycloak pods' IPs and then trying to connect to them one by one. Except Keycloak does that by querying the Kubernetes API directly instead of running kubectl
.
To do that, it needs credentials to query the API, basically an access token.
You can pass your token directly, if you have it, but its not very secure and not very convenient (you can check other options and behavior here).
Kubernetes have a very convenient way to inject a token to be used by a pod (or a software running inside that pod) to query the API. Check the documentation for a deeper look.
The mechanism is to create a service account, give it permissions to call the API using a RoleBinding and set that account in the pod configuration.
That works by mounting the token as a file at a known location, hardcoded and expected by all Kubernetes clients. When the client wants to call the API it looks for a token at that location.
Although not very convenient, you may be in the even more inconvenient situation of lacking permissions to create RoleBindings (somewhat common in more strict environments).
You can then ask an admin to create the service account and RoleBinding for you or just (very unsecurely) pass you own user's token (if you are capable of doing a kubectl get pod
on Keycloak's namespace you have the permissions) via SA_TOKEN_FILE
environment variable.
Create the file using a secret or configmap, mount it to the pod and set SA_TOKEN_FILE
to that file location. Note that this method is specific to Keycloak.
If you do have permissions to create service accounts and RoleBindings in the cluster:
An example (not tested):
QUESTION
We are using keycloak to handle authentication (client/secret) in our API Gateway.
The Kong api service uses konnect-managed-plugin to refer to keycloak to authenicate client credentials and return a bearer token.
Future calls to other endpoints use oauth2-introspection to verify the bearer token via keycloak introspection
I almost have this working however, when I authenticate via Kong api gateway, it returns a bearer token, but this token fails introspection.
If I auth straight to keycloak, the bearer token works for introspection.
eg
Token from: http://kongapigateway.domain/getOAuthToken
- NOTE: We have not yet set up ssl on the kong api gateway
Returns:
...ANSWER
Answered 2022-Jan-27 at 22:33You can fix this by setting Keycloak's frontend URL to your public URL. For details please refer to my answer to another but similar question.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install keycloak
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page