keycloak | keycloak , spring security , sso | Identity Management library

I need to integrate keycloak with an existing application. Users log in with username and password. Unfortunately, the application supports case-sensitive usernames and must continue to do so.

When creating the Custom User Storage Provider, at the entry point public UserModel getUserByUsername(String username, RealmModel realm) I get the username, but it has already been converted to a case insensitive String.

Here is an example which illustrates the situation.

I am aware that keycloak does not support case sensitive users, but for retrieving the users from the database I need to be able to distinguish the users. Is it possible to access the original input of the username?

We are using keycloak as IDP and have some custom plugins/Spi, we are in process of updating our keycloak instance to version 17 Quarkas distribution and the SPIs began to break (error below) during keycloak build process. I've made sure that there are no keycloak libraries packed as part of jar.

The SPI looks like below and have corresponding entries in Manifest file under Manifest/services/org.keycloak.services.resource.RealmResourceProviderFactory

Custom SPI/plugin

I'm trying this for days right now and I'm not sure if i missed something.

I have a Quarkus GraphQL Service , like here : https://quarkus.io/guides/smallrye-graphql

And I have setup Keycloak to secure it.

Now I wanted to create a client with Qute and GraphQL Smallrye client like here : https://quarkus.io/guides/smallrye-graphql-client

The client can connect to the service, but I always get an "Data Fetching Error: io.quarkus.security.UnauthorizedException".

It seems like the GraphQL client is not sending the headers correctly or it doesn't send any ...

Does anyone know how I can tell the client to send the Authorization header from keycloak with every call?

PS: I tested it with a short react frontend and there it's working, so it seems to be an graphql client issue with the headers... Some ideas?

I have a JAX-RS application deployed in WildFly. The application's endpoints shall be protected by Keycloak with Access Type: bearer-only. This works perfectly fine for WildFly versions up to 24.

Starting from WildFly 25 the Keycloak adapter is deprecated and one should migrate to the new Elytron subsystem. According to this WildFly issue https://issues.redhat.com/browse/WFLY-15485 however the OIDC adapter is not ready yet to work with bearer-only. But it is mentioned that it should still be possible using the Keycloak Wildfly adapter.

Also the latest Keycloak documentation and this thread in Google Groups states this.

So I installed the adapter from this location and ran the installation script:

https://github.com/keycloak/keycloak/releases/download/16.1.1/keycloak-oidc-wildfly-adapter-16.1.1.zip

./bin/jboss-cli.sh --file=bin/adapter-elytron-install-offline.cli -Dserver.config=standalone-full.xml

When deploying the application I get thte following error message:

java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory

Setup

• WildFly 26 (Jakarta EE 8)
• Keycloak 16.1.1

web.xml

Using expo-keycloak-auth

https://www.npmjs.com/package/expo-keycloak-auth

I am trying to add the login to an existing screen. I am able to login successfully. I want the user to be able to click a button to navigate to the new screen. this is the code (almost identical to the example on github)

My Webapp is deployed in Wildfly 25.0.1.Final and is secured using OpenID Connect (OIDC). WildFly 25 enables you to secure deployments using OpenID Connect (OIDC) without installing a Keycloak client adapter.

It is configured like this:

web.xml

I'm generating JWTs for a service for authentication and we're using Keycloak as the OAuth server.

I've set up a realm R, a client C, and a user U. I setup a protocol mapper to include "C" in the "aud". I generated the JWTtoken for U and when I check the payload, I see "aud": ["C", "account"]. Which is great, I wanted C to be present. But I do not want "account" to be present in the "aud".

How do I configure this in keycloak? Similarly, the scope reads - "scope": "email profile test-client-rhs" and I wish to remove "email profile" from it. I've been googling around a lot and trying out different stuff in Keycloak but I can't get this to work somehow.

I'm trying to deploy a HA Keycloak cluster (2 nodes) on Kubernetes (GKE). So far the cluster nodes (pods) are failing to discover each other in all the cases as of what I deduced from the logs. Where the pods initiate and the service is up but they fail to see other nodes.

Components

• PostgreSQL DB deployment with a clusterIP service on the default port.
• Keycloak Deployment of 2 nodes with the needed ports container ports 8080, 8443, a relevant clusterIP, and a service of type LoadBalancer to expose the service to the internet

Logs Snippet:

We are using keycloak to handle authentication (client/secret) in our API Gateway.

The Kong api service uses konnect-managed-plugin to refer to keycloak to authenicate client credentials and return a bearer token.

Future calls to other endpoints use oauth2-introspection to verify the bearer token via keycloak introspection

I almost have this working however, when I authenticate via Kong api gateway, it returns a bearer token, but this token fails introspection.

If I auth straight to keycloak, the bearer token works for introspection.

eg

Token from: http://kongapigateway.domain/getOAuthToken

• NOTE: We have not yet set up ssl on the kong api gateway

Returns: