keycloak

Spring Boot 2.6 regression: How can I fix Keycloak circular dependency in adapter?

by

allowing the circular dependencies might not be the best option. One thing that you can do is to create a specific configuration class for your KeycloakConfigResolver bean. package com.stackoverflow; import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; @Configuration public class KeycloakConfiguration { @Bean public KeycloakSpringBootConfigResolver KeycloakConfigResolver() { return new KeycloakSpringBootConfigResolver(); } }

Keycloak-gatekeeper: ‘aud’ claim and ‘client_id’ do not match

by

With recent keycloak version 4.6.0 the client id is apparently no longer automatically added to the audience field ‘aud’ of the access token. Therefore even though the login succeeds the client rejects the user. To fix this you need to configure the audience for your clients (compare doc [2]). Configure audience in Keycloak Add realm … Read more

Issuing “API keys” using Keycloak

by

I finally found a solution that works well and seems to be “the Keycloak way” to issue credentials to external applications. To create a new set of credentials, add a new Keycloak client and change the following settings: Standard Flow Enabled: OFF Direct Access Grants Enabled: OFF Access Type: Confidential Service Accounts Enabled: ON The … Read more

Using Keycloak behind a reverse proxy: Could not open Admin loginpage because mixed Content

by

This sounds somehow like a duplicate of Keycloak Docker behind loadbalancer with https fails Set the request headers X-Forwarded-For and X-Forwarded-Proto in nginx. Then you have to configure Keycloak (Wildfly, Undertow) to work together with the SSL terminating reverse proxy (aka load balancer). See http://www.keycloak.org/docs/latest/server_installation/index.html#_setting-up-a-load-balancer-or-proxy for a detailed description. The point is that nginx is … Read more

Keycloak retrieve custom attributes to KeycloakPrincipal

by

To add custom attributes you need to do three things: Add attributes to admin console Add claim mapping Access claims The first one is explained pretty good here: https://www.keycloak.org/docs/latest/server_admin/index.html#user-attributes Add claim mapping: Open the admin console of your realm. Go to Clients and open your client This only works for Settings > Access Type confidential … Read more

Login to Keycloak using API

by

You are effectively asking your users to trust that Application1 will manage their keycloak credentials securely. This is not recommended because better security is achieved if the user is redirected to keycloak to enter their credentials. In an ideal world no client application should be handling or have access to user credentials. It defeats the … Read more

Keycloak integration in Swagger

by

Swagger-ui can integrate with keycloak using the implicit authentication mode. You can setup oauth2 on swagger-ui so that it will ask you to authenticate instead of giving swagger-ui the access token directly. 1st thing, your swagger need to reference a Security definition like: “securityDefinitions”: { “oauth2”: { “type”:”oauth2″, “authorizationUrl”:”http://172.17.0.2:8080/auth/realms/master/protocol/openid-connect/auth”, “flow”:”implicit”, “scopes”: { “openid”:”openid”, “profile”:”profile” } … Read more

keycloak bearer-only clients: why do they exist?

by

Bearer-only access type meaning Bearer-only access type means that the application only allows bearer token requests. If this is turned on, this application cannot participate in browser logins. So if you select your client as bearer-only then in that case keycloak adapter will not attempt to authenticate users, but only verify bearer tokens. That why … Read more

Logout user via Keycloak REST API doesn’t work

by

Finally, I’ve found the solution by looking at the Keycloak’s source code: https://github.com/keycloak/keycloak/blob/9cbc335b68718443704854b1e758f8335b06c242/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java#L169. It says: If the client is a public client, then you must include a “client_id” form parameter. So what I was missing is the client_id form parameter. My request should have been: POST http://localhost:8080/auth/realms/<my_realm>/protocol/openid-connect/logout Authorization: Bearer <access_token> Content-Type: application/x-www-form-urlencoded client_id=<my_client_id>&refresh_token=<refresh_token> The session … Read more