If you mark the password as temporary a user action to update password is marked as required. And until the password has been updated/set by the user i.e. this action has been completed, you won’t be able to get an access token using this user since the account is not “fully setup” and is in … Read more
It is possible to configure a different lifespan for access tokens on a per client basis. In Keycloak admin console go to a client settings page and expand the “Advanced Settings” section. This screenshot is taken from Keycloak 4.8.1.Final. EDIT: Be aware that is override is applied to Authorization Code Flow only. The access token … Read more
The standalone Keycloak server runs on the top of a JBoss Wildfly instance and this server doesn’t allow accessing it externally by default, for security reasons (it should be only for the administration console, but seems to affect every url in case of Keycloak). It has to be booted with the -b=0.0.0.0 option to enable … Read more
In KeyCloak we have those 3 roles: Realm Role Client Role Composite Role There are no User Roles in KeyCloak. You most likely confused that with User Role Mapping, which is basically mapping a role (realm, client, or composite) to the specific user In order to find out how these roles actually work, let’s first … Read more
With recent keycloak version 4.6.0 the client id is apparently no longer automatically added to the audience field ‘aud’ of the access token. Therefore even though the login succeeds the client rejects the user. To fix this you need to configure the audience for your clients (compare doc [2]). Configure audience in Keycloak Add realm … Read more
Bearer-only access type meaning Bearer-only access type means that the application only allows bearer token requests. If this is turned on, this application cannot participate in browser logins. So if you select your client as bearer-only then in that case keycloak adapter will not attempt to authenticate users, but only verify bearer tokens. That why … Read more
Finally, I’ve found the solution by looking at the Keycloak’s source code: https://github.com/keycloak/keycloak/blob/9cbc335b68718443704854b1e758f8335b06c242/services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java#L169. It says: If the client is a public client, then you must include a “client_id” form parameter. So what I was missing is the client_id form parameter. My request should have been: POST http://localhost:8080/auth/realms/<my_realm>/protocol/openid-connect/logout Authorization: Bearer <access_token> Content-Type: application/x-www-form-urlencoded client_id=<my_client_id>&refresh_token=<refresh_token> The session … Read more
Your client need to have the access-type set to confidential , then you will have a new tab credentials where you will see the client secret. https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/clients/oidc/confidential.html
What worked for me was adding wildchar ‘*’. Although for production builds, I am going to be more specific with the value of this field. But for dev purposes you can do this. Setting available under, keycloak admin console -> Realm_Name -> Cients -> Client_Name. EDIT: DO NOT DO THIS IN PRODUCTION. Doing so creates … Read more
For Keycloak 1.2 the above information can be retrieved via the url http://keycloakhost:keycloakport/auth/realms/{realm}/.well-known/openid-configuration For example, if the realm name is demo: http://keycloakhost:keycloakport/auth/realms/demo/.well-known/openid-configuration An example output from above url: { “issuer”: “http://localhost:8080/auth/realms/demo”, “authorization_endpoint”: “http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth”, “token_endpoint”: “http://localhost:8080/auth/realms/demo/protocol/openid-connect/token”, “userinfo_endpoint”: “http://localhost:8080/auth/realms/demo/protocol/openid-connect/userinfo”, “end_session_endpoint”: “http://localhost:8080/auth/realms/demo/protocol/openid-connect/logout”, “jwks_uri”: “http://localhost:8080/auth/realms/demo/protocol/openid-connect/certs”, “grant_types_supported”: [ “authorization_code”, “refresh_token”, “password” ], “response_types_supported”: [ “code” ], “subject_types_supported”: [ “public” ], … Read more