keycloak | Open Source Identity and Access Management | Identity Management library

 by   keycloak Java Version: nightly License: Apache-2.0

kandi X-RAY | keycloak Summary

kandi X-RAY | keycloak Summary

keycloak is a Java library typically used in Security, Identity Management applications. keycloak has build file available, it has a Permissive License and it has high support. However keycloak has 1314 bugs and it has 67 vulnerabilities. You can download it from GitHub, Maven.

Keycloak is an Open Source Identity and Access Management solution for modern Applications and Services. This repository contains the source code for the Keycloak Server, Java adapters and the JavaScript adapter.

            kandi-support Support

              keycloak has a highly active ecosystem.
              It has 16420 star(s) with 5475 fork(s). There are 361 watchers for this library.
              It had no major release in the last 12 months.
              There are 1631 open issues and 4807 have been closed. On average issues are closed in 76 days. There are 236 open pull requests and 0 closed requests.
              It has a negative sentiment in the developer community.
              The latest version of keycloak is nightly

            kandi-Quality Quality

              keycloak has 1314 bugs (38 blocker, 11 critical, 775 major, 490 minor) and 18891 code smells.

            kandi-Security Security

              keycloak has 12 vulnerability issues reported (1 critical, 4 high, 7 medium, 0 low).
              keycloak code analysis shows 55 unresolved vulnerabilities (34 blocker, 12 critical, 9 major, 0 minor).
              There are 177 security hotspots that need review.

            kandi-License License

              keycloak is licensed under the Apache-2.0 License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              keycloak releases are available to install and integrate.
              Deployable package is available in Maven.
              Build file is available. You can build the component from source.
              Installation instructions, examples and code snippets are available.
              keycloak saves you 1267880 person hours of effort in developing the same functionality from scratch.
              It has 563706 lines of code, 45885 functions and 6982 files.
              It has medium code complexity. Code complexity directly impacts maintainability of the code.

            Top functions reviewed by kandi - BETA

            kandi has reviewed keycloak and discovered the below as its top functions. This is intended to give you an instant insight into keycloak implemented functionality, and help decide if they suit your requirements.
            • Associates the first broker login flow with the given realm .
            • Initialize the topology
            • Given an IPv6 address and an IPv6 address return the canonical form of it .
            • Updates the realm .
            • Create a client object from an OIDC client .
            • Creates a wrapper for the policy store .
            • Verify OCSP response certificate .
            • Handle an action token .
            • Read a message .
            • Handle login response .
            Get all kandi verified functions for this library.

            keycloak Key Features

            No Key Features are available at this moment for keycloak.

            keycloak Examples and Code Snippets

            The keycloak config resolver bean .
            javadot img1Lines of Code : 4dot img1License : Permissive (MIT License)
            copy iconCopy
                public KeycloakConfigResolver configResolver() {
                    return new KeycloakSpringBootConfigResolver();
            Problem in log out user using Keycloack in React js app
            JavaScriptdot img2Lines of Code : 52dot img2License : Strong Copyleft (CC BY-SA 4.0)
            copy iconCopy
            import React, { createContext, useState, useEffect } from 'react'
            // KEYCLOACK
            import Keycloak from 'keycloak-js'
            const KeycloackContext = createContext()
            const KeycloackContextProvider = (props) => {
                const [ keycloackValue, setK
            Gatsby build fails with keycloak (@react-keycloak/web)
            JavaScriptdot img3Lines of Code : 30dot img3License : Strong Copyleft (CC BY-SA 4.0)
            copy iconCopy
            const React = require('react')
            const Keycloak = require('keycloak-js')
            const Keycloak = loadable(() => require('keycloak-js'))
            const {ReactKeycloakProvider} = loadable(() => require('@react-keycloak/web'))
            const kc = Keycloak({
            Gatsby build fails with keycloak (@react-keycloak/web)
            JavaScriptdot img4Lines of Code : 43dot img4License : Strong Copyleft (CC BY-SA 4.0)
            copy iconCopy
            const React = require('react')
            const { ReactKeycloakProvider } = require('@react-keycloak/web')
            function wrapRootElement ({ element }) {
              return (
            exports.wrapRootElement = wrapRootElement
            Keycloak &amp; React Router routing for Public/Login &amp; Authenticated &amp; Role based routes
            JavaScriptdot img5Lines of Code : 84dot img5License : Strong Copyleft (CC BY-SA 4.0)
            copy iconCopy
            npm install --save keycloak-js
            npm install --save @react-keycloak/web
            import Keycloak from 'keycloak-js'
            const keycloakConfig = {
              url: 'http://localhost:8080/auth', 
              realm: 'Demo', 
              clientId: 'react-app'
            Webpack Imported Module is not a Constructor in VueJS when Importing Keycloak
            JavaScriptdot img6Lines of Code : 3dot img6License : Strong Copyleft (CC BY-SA 4.0)
            copy iconCopy
            npm uninstall keycloak-js
            npm i keycloak-js@6.0.1
            Upgrade to Angular 4 broke implementation of external JS dependency
            JavaScriptdot img7Lines of Code : 4dot img7License : Strong Copyleft (CC BY-SA 4.0)
            copy iconCopy
            npm install --save keycloak-js @types/keycloak-js
            import 'keycloak-js' // <- use the keycloak foldername in ./node_modules folder

            Community Discussions


            Confidential Rest-Api w/ Permissions - Always 403s - What Am I Doing Wrong?
            Asked 2022-Apr-11 at 18:17

            I've tried for many hours now and seem to have hit a wall. Any advice/help would be appreciated.

            Goal: I want to authorize the express rest-api (ex client-id: "my-rest-api") routes (example resource: "WeatherForecast") across various HTTP methods mapped to client scopes (examples: "create"/"read"/"update"/"delete"). I want to control those permissions through policies (For example - "Read - WeatherForecast - Permission" will be granted if policy "Admin Group Only" (user belongs to admin group) is satisfied.

            Rest-api will not log users in (will be done from front end talking directly to keycloak and then they will use that token to talk with rest-api).


            What Happens: I can login from keycloak login page through postman and get an access token. However when I hit any endpoint that uses keycloak.protect() or keycloak.enforce() (with or without specifying resource permissions) I can't get through. In the following code the delete endpoint returns back 200 + the HTML of the keycloak login page in postman and the Get returns back 403 + "Access Denied".

            Current State of Realm

            • Test User (who I login with in Postman) has group "Admin".
            • Client "my-rest-api" with access-type: Confidential with Authorization enabled.
            • Authorization set up:
              • Policy Enforcement Mode: Enforcing, Decision Strategy: Unanimous
              • "WeatherForecast" resource with uri "/api/WeatherForecast" and create/read/update/delete client scopes applied.
              • "Only Admins Policy" for anyone in group admin. Logic positive.
              • Permission for each of the client scopes for "WeatherForecast" resource with "Only Admins Policy" selected, Decision Strategy: "Affirmative".

            Current State of Nodejs Code:



            Answered 2022-Apr-11 at 18:17

            So my team finally figured it out - the resolution was a two part process:

            1. Followed the instructions on similar issue stackoverflow question answers such as : Rough steps incase that link is ever broken somehow:
            • Add hosts entry for keycloak (if 'keycloak' is the name of your docker container for keycloak, I changed my docker-compose to specify container name to make it a little more fool-proof)
            • Change keycloak-connect config authServerUrl setting to be: 'http://keycloak:8080/auth/' instead of 'http://localhost:8080/auth/'
            1. Postman OAuth 2.0 token request Auth URL and Access Token URL changed to use the now updated hosts entry:
            • "http://localhost:8080/auth/realms/abra/protocol/openid-connect/auth" -> "http://keycloak:8080/auth/realms/abra/protocol/openid-connect/auth"
            • "http://localhost:8080/auth/realms/abra/protocol/openid-connect/token" -> "http://keycloak:8080/auth/realms/abra/protocol/openid-connect/token"



            How to access the original case sensitive username input in custom user storage provider of keycloak?
            Asked 2022-Mar-24 at 07:18

            I need to integrate keycloak with an existing application. Users log in with username and password. Unfortunately, the application supports case-sensitive usernames and must continue to do so.

            When creating the Custom User Storage Provider, at the entry point public UserModel getUserByUsername(String username, RealmModel realm) I get the username, but it has already been converted to a case insensitive String.

            Here is an example which illustrates the situation.

            username input received username users in database John Doe john doe john doe, John Doe

            I am aware that keycloak does not support case sensitive users, but for retrieving the users from the database I need to be able to distinguish the users. Is it possible to access the original input of the username?



            Answered 2022-Mar-24 at 07:18

            like you noticed correctly, usernames (and also email) are converted to lowercase in Keycloak. This behaviour is introduced by the UserCacheSession-class. The only way i found to get around this is to disable user caching globally in the Keycloak instance. This can be done by setting the appropriate configuration values inside standalone.xml, standalone-ha.xml or domain.xml (depending on your setup like described here).

            The config block should be changed from



            Keycloak 17: Unsatisfied dependency for type org.keycloak.models.KeycloakSession and qualifiers [@Default]
            Asked 2022-Mar-23 at 09:03

            We are using keycloak as IDP and have some custom plugins/Spi, we are in process of updating our keycloak instance to version 17 Quarkas distribution and the SPIs began to break (error below) during keycloak build process. I've made sure that there are no keycloak libraries packed as part of jar.

            The SPI looks like below and have corresponding entries in Manifest file under Manifest/services/

            Custom SPI/plugin



            Answered 2022-Mar-23 at 09:03

            Remove @Path annotation from class.



            Quarkus GraphQL Client with Keycloak
            Asked 2022-Mar-18 at 10:34

            I'm trying this for days right now and I'm not sure if i missed something.

            I have a Quarkus GraphQL Service , like here :

            And I have setup Keycloak to secure it.

            Now I wanted to create a client with Qute and GraphQL Smallrye client like here :

            The client can connect to the service, but I always get an "Data Fetching Error:".

            It seems like the GraphQL client is not sending the headers correctly or it doesn't send any ...

            Does anyone know how I can tell the client to send the Authorization header from keycloak with every call?

            PS: I tested it with a short react frontend and there it's working, so it seems to be an graphql client issue with the headers... Some ideas?



            Answered 2022-Mar-17 at 08:35

            Not sure if you're using a dynamic or typesafe client, so I'll describe both.

            For both types, if you have a key that doesn't change during the life of the application, you can configure that by adding a configuration property like this: quarkus.smallrye-graphql-client.CLIENT_NAME.header.HEADER_NAME=HEADER_VALUE (see

            If the value can change over time, I would probably recommend using the programmatic builder instead of using a statically configured client, like this:



            Using Keycloak adapter with Wildfly 26 does not provide "KEYCLOAK" as mechanism
            Asked 2022-Mar-16 at 19:01

            I have a JAX-RS application deployed in WildFly. The application's endpoints shall be protected by Keycloak with Access Type: bearer-only. This works perfectly fine for WildFly versions up to 24.

            Starting from WildFly 25 the Keycloak adapter is deprecated and one should migrate to the new Elytron subsystem. According to this WildFly issue however the OIDC adapter is not ready yet to work with bearer-only. But it is mentioned that it should still be possible using the Keycloak Wildfly adapter.

            Also the latest Keycloak documentation and this thread in Google Groups states this.

            So I installed the adapter from this location and ran the installation script:


            ./bin/ --file=bin/adapter-elytron-install-offline.cli -Dserver.config=standalone-full.xml

            When deploying the application I get thte following error message:

            java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory


            • WildFly 26 (Jakarta EE 8)
            • Keycloak 16.1.1




            Answered 2022-Feb-01 at 07:31

            I finally got it working without the Keycloak adapter, i.e. using the new built-in Elytron subsystem.

            oidc.json (located in the WEB-INF directory)



            React navigate after login with keycloak
            Asked 2022-Mar-01 at 22:58

            Using expo-keycloak-auth


            I am trying to add the login to an existing screen. I am able to login successfully. I want the user to be able to click a button to navigate to the new screen. this is the code (almost identical to the example on github)



            Answered 2022-Mar-01 at 22:58

            You have to pass navigation from LoginScreen as prop to Auth component:



            Secure WebApp in Wildfly 25 using OpenID Connect (OIDC) without installing a Keycloak client adapter
            Asked 2022-Feb-09 at 15:42

            My Webapp is deployed in Wildfly 25.0.1.Final and is secured using OpenID Connect (OIDC). WildFly 25 enables you to secure deployments using OpenID Connect (OIDC) without installing a Keycloak client adapter.

            It is configured like this:




            Answered 2022-Feb-09 at 15:42

            This is a known issue and documented here:

            If you upgrade to wildfly 26.0.1 it should be resolved.



            How to modify existing claims in JWT from Keycloak for OIDC flow?
            Asked 2022-Feb-07 at 23:01

            I'm generating JWTs for a service for authentication and we're using Keycloak as the OAuth server.

            I've set up a realm R, a client C, and a user U. I setup a protocol mapper to include "C" in the "aud". I generated the JWTtoken for U and when I check the payload, I see "aud": ["C", "account"]. Which is great, I wanted C to be present. But I do not want "account" to be present in the "aud".

            How do I configure this in keycloak? Similarly, the scope reads - "scope": "email profile test-client-rhs" and I wish to remove "email profile" from it. I've been googling around a lot and trying out different stuff in Keycloak but I can't get this to work somehow.



            Answered 2022-Feb-07 at 22:59

            I generated the JWTtoken for U and when I check the payload, I see "aud": ["C", "account"]. Which is great, I wanted C to be present. But I do not want "account" to be present in the "aud".

            Instead of an audience Mapper you can use a Hardcoded claim Mapper with:

            • Token Claim Name set to aud
            • Claim value set to C
            • Add to access token set to ON

            this mapper will override the original claim "aud": "account" with "aud": "C"

            Like so:

            How do I configure this in keycloak? Similarly, the scope reads - "scope": "email profile test-client-rhs" and I wish to remove "email profile" from it.

            For this you need to go to:

            • The realm where the client is
            • Go to clients and select the client
            • Click on the tab "Client Scopes"
            • Remove the scopes email and profile from "Assigned Default Client Scopes"

            like so:



            Deploying a Keycloak HA cluster to kubernetes | Pods are not discovering each other
            Asked 2022-Feb-05 at 13:58

            I'm trying to deploy a HA Keycloak cluster (2 nodes) on Kubernetes (GKE). So far the cluster nodes (pods) are failing to discover each other in all the cases as of what I deduced from the logs. Where the pods initiate and the service is up but they fail to see other nodes.


            • PostgreSQL DB deployment with a clusterIP service on the default port.
            • Keycloak Deployment of 2 nodes with the needed ports container ports 8080, 8443, a relevant clusterIP, and a service of type LoadBalancer to expose the service to the internet

            Logs Snippet:



            Answered 2022-Feb-05 at 13:58

            The way KUBE_PING works is similar to running kubectl get pods inside one Keycloak pod to find the other Keycloak pods' IPs and then trying to connect to them one by one. Except Keycloak does that by querying the Kubernetes API directly instead of running kubectl.

            To do that, it needs credentials to query the API, basically an access token.

            You can pass your token directly, if you have it, but its not very secure and not very convenient (you can check other options and behavior here).

            Kubernetes have a very convenient way to inject a token to be used by a pod (or a software running inside that pod) to query the API. Check the documentation for a deeper look.

            The mechanism is to create a service account, give it permissions to call the API using a RoleBinding and set that account in the pod configuration.

            That works by mounting the token as a file at a known location, hardcoded and expected by all Kubernetes clients. When the client wants to call the API it looks for a token at that location.

            Although not very convenient, you may be in the even more inconvenient situation of lacking permissions to create RoleBindings (somewhat common in more strict environments).

            You can then ask an admin to create the service account and RoleBinding for you or just (very unsecurely) pass you own user's token (if you are capable of doing a kubectl get pod on Keycloak's namespace you have the permissions) via SA_TOKEN_FILE environment variable.

            Create the file using a secret or configmap, mount it to the pod and set SA_TOKEN_FILE to that file location. Note that this method is specific to Keycloak.

            If you do have permissions to create service accounts and RoleBindings in the cluster:

            An example (not tested):



            keycloak + Kong API Gateway
            Asked 2022-Jan-27 at 22:33

            We are using keycloak to handle authentication (client/secret) in our API Gateway.

            The Kong api service uses konnect-managed-plugin to refer to keycloak to authenicate client credentials and return a bearer token.

            Future calls to other endpoints use oauth2-introspection to verify the bearer token via keycloak introspection

            I almost have this working however, when I authenticate via Kong api gateway, it returns a bearer token, but this token fails introspection.

            If I auth straight to keycloak, the bearer token works for introspection.


            Token from: http://kongapigateway.domain/getOAuthToken

            • NOTE: We have not yet set up ssl on the kong api gateway




            Answered 2022-Jan-27 at 22:33

            You can fix this by setting Keycloak's frontend URL to your public URL. For details please refer to my answer to another but similar question.


            Community Discussions, Code Snippets contain sources that include Stack Exchange Network


            No vulnerabilities reported

            Install keycloak

            To run Keycloak download the distribution from our website. Unzip and run:.


            DocumentationUser Mailing List - Mailing list for help and general questions about Keycloak
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
          • HTTPS


          • CLI

            gh repo clone keycloak/keycloak

          • sshUrl


          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link

            Explore Related Topics

            Consider Popular Identity Management Libraries


            by hashicorp


            by derailed


            by keepassxreboot


            by keycloak


            by uuidjs

            Try Top Libraries by keycloak


            by keycloakJava


            by keycloakShell


            by keycloakTypeScript


            by keycloakJavaScript


            by keycloakHTML