Questions tagged [keycloak]
Integrated Single Sign On (SSO) and Identity Manager (IDM) for browser apps and RESTful web services. Built on top of JBoss / Wildfly and complies with OAuth 2.0, Open ID Connect, JSON Web Token (JWT) and SAML 2.0 specifications.
47
questions
6
votes
2
answers
16k
views
KEYCLOAK + MYSQL + DOCKER --> Failed to start
I am trying to start a Keycloak instance which uses a custom mysql database instead of the embedded H2.
Since I am planning to use docker, I created a network for Keyclock docker to communicate with ...
3
votes
0
answers
1k
views
Keycloak login error destination_invalid
I'm currently trying to set up keycloak to provide single sign on to a nextcloud and gitlab instance. All three services are running inside a docker compose network with an nginx server as proxy to ...
2
votes
2
answers
41k
views
How to get the client-id and client-secret from keycloak?
For a web application I need the client-id and client-secret from Keycloak. How can I access these in the web interface?
2
votes
1
answer
182
views
Invalid keycloak URL error when installing alfresco-dbp with helm in Kubernetes on AWS
I'm currently trying to deploy Alfresco Content Services on AWS following this guide. I got as far as to "Creating File Storage for Alfresco Content Services Community" where I have to create an EFS ...
2
votes
1
answer
1k
views
Logging username in KeyCloak access-log
In KeyCLoak 15.0 (that is WildFly 23.0), I’m trying to configure access-log to also include username (or any ID of the user) when a user is logged in. In keycloak/standalone/configuration/standalone....
2
votes
2
answers
3k
views
How can I resolve "SAML Providers must reference at least one SAML assertion issuer" message?
I want to setup a SSO solution using Keycloak 10.0.2 as the Identity Provider. The first application I want to setup is AWS.
I followed this tutorial to enable Keycloak to sign me in using SAML. I ...
2
votes
1
answer
3k
views
Howto traefik->keycloak gatekeeper->service?
My question is:
Specifically, how do I configure traefik to double proxy through keycloak gatekeepr to authenticate my services as outlined below?
I know my authentication chain looks like the ...
2
votes
0
answers
559
views
Can't get Keycloak to add new users/groups to OpenLDAP
I've been banging my head against the wall for two days on this one now.
I have setup fresh Keycloak and OpenLDAP instances, and I want to use OpenLDAP as the source of truth for all user data. I want ...
2
votes
0
answers
444
views
Keycloak takes a long time to wake up if unused during a day or more
I installed Keycloak with a docker compose, behind an NGINX reverse proxy. Keycloack is only installed now for testing.
When I stop using it for a days or more, next time I have a "Request Time-out" ...
1
vote
1
answer
710
views
Keycloak w/ EKS + ALB (401 after auth)
I’m currently trying to get Keycloak to run in EKS behind ALB and for the life of me, I can’t get it to work. I get the redirect to a login screen and after I log in - I instantly get presented with ...
1
vote
0
answers
1k
views
SSO not working between a browser and a Keycloak using an user federation with kerberos integration to a windows AD
I am trying to get SSO working using a browser(Chrome or firefox) and keycloak configured with an user federation AD Domain(kerberos is configured).
First I present the overview of what I have and ...
1
vote
1
answer
1k
views
HAProxy deny HTTP request on path_beg not matching
I have a HAProxy node in front of a Keycloak node. I want to only expose the API needed to serve the users (not the Admin panel) I have the following on my haproxy.cfg
frontend block
frontend haproxy-...
1
vote
0
answers
1k
views
Wrong redirect_uri on keycloak
I am trying to use keycloak to authenticate my service that are provided in a tomcat 8 docker by following https://github.com/keycloak/keycloak-documentation/blob/main/securing_apps/topics/oidc/java/...
1
vote
0
answers
779
views
Keycloak: Difference between Authentication sessions and User Sessions
I was going through the documentation
https://www.keycloak.org/docs/latest/server_installation/#cache
Here they have described different types of caches.
I didn't quite understand the definitions they ...
1
vote
0
answers
335
views
Indirect Group Membership with Keycloak and oauth2-proxy
I'm using oauth2-proxy/oauth2-proxy with Keycloak-oidc provider for authentication for some pods in my Kubernetes cluster.
I can specify which groups are allowed to access a resource using the --...
1
vote
0
answers
277
views
JBoss: How does <stacks> in the standalone-ha.xml work?
This file contains the usual Keycloak server configuration with the addition of WildFly10 High Availability extensions like Infinispan HA cache and JGroups HA communication channels and their ...
1
vote
1
answer
2k
views
Keycloak install with helm on GKE with Cloud SQL (external) database
I'm trying to install keycloak on GKE cluster in GCP with external database, i.e. CloudSQL postrges db.
I want to use helm to install it, so:
helm repo add bitnami https://charts.bitnami.com/bitnami
...
1
vote
1
answer
224
views
graviteeio - management-rest-api oauth role mappings
Gravitee manager can be configured with keycloak authentication as described here.
They state in their documentation, that role mapping could be addressed on their gravitee.yml configuration:
security:...
1
vote
1
answer
1k
views
Unable to add users from Keycloack on FreeIPA via LDAP although Keycloack host has permissions set in FreeIPA
I have the following setup:
FreeIPA 4.8.7 via docker (freeipa/freeipa-server:centos-8)
Keycloack 12.0.1
The FreeIPA users are in cn=users,cn=accounts,dc=freeipa,dc=example,dc=com
Keycloack DN: ...
0
votes
1
answer
605
views
How to map internal OIDC group to external K8s cluster roles
I have successfully connected my K8s cluster + dashboard to my Keycloak server, now i have asked myself the question:
I have followed these instructions here.
Furthermore I also made the appropriate ...
0
votes
2
answers
569
views
Client that can manage users in Keycloak 23+
I need to authorize my application (named "Logic" from now on) to manage users of a Keycloak realm. "Logic" already authenticates itself against that realm with a client ...
0
votes
2
answers
495
views
fail2ban on host for rootless podman keycloak container
running on Rocky Linux 9.2 with podman 4.4.1.
I got a podman Pod with keycloak + postgresql inside, running rootless. The pod itself with --network 'slirp4netns:port_handler=slirp4netns'. The keycloak ...
0
votes
1
answer
461
views
Keycloak Docker fails to start due to "Negative Delay." Error
Running a keycloak container (21.0 - 21.1.1) on a Debian 11 Bullseye recently stopped working after host restart (MariaDB didn't start up, leading to keycloak also exiting. When the issue was noticed ...
0
votes
1
answer
117
views
Why does embedding KeyCloak into a another stack using requirements.yaml fail?
I ran into a really weird issue when using https://github.com/codecentric/helm-charts/tree/master/charts/keycloak to set up keycloak on k8s:
Using this helmchart and setting it up directly works ...
0
votes
0
answers
23
views
"scope" field in bearer token with OAuth2-proxy
I configured oauth2-proxy for authentication for one of my applications. My application checks the scopes to determine access to resources.
I am successfully able to send the bearer token requested by ...
0
votes
0
answers
251
views
FreeIPA, Keycloak and Radius with OTP used for Wifi, VPN and Docker registry auth result in logging in hell
we have configured our infrastructure to use FreeIPA for user database, keycloak as SSO auth and Radius as auth proxy.
We use everywhere password + OTP policy.
We have several apps connected to ...
0
votes
0
answers
100
views
OpenStack - Keycloak SSO oidc mapping
I'm trying to set up SSO for OpenStack, through Keycloak, via OpenID.
If I use the example mapping from the OpenStack documentation, it works fine. However, I want to have a different setup, and would ...
0
votes
1
answer
62
views
Recursive keycloak broker throwing a cookie exception
I am trying to setup following transitive architecture:
(A) Keycloak as a user federation on AD
(B) Keycloak as a broker for Keycloak (A)
(C) Keycloak as a broker for Keycloak (B) connected to some ...
0
votes
0
answers
74
views
Windows11: How do I find out exactly where SAML-WebLogIn on Windows fails after redirect back to Windows?
I managed to enable federated Logins for our Microsoft tenant so that if you login to, say, office.com and enter your username (e.g. "[email protected]") you're then redirected to our Keycloak ...
0
votes
1
answer
1k
views
Keycloak Integration with a Linux Server
I've set up a Keycloak server and I'm working on integrating it with a Linux server to allow users from Keycloak to authenticate into the Linux server using their Keycloak credentials.
Ideally, I'd ...
0
votes
0
answers
135
views
Configure keycloak admin UI to listen on different port than the IAM services?
Is there a way to configure keycloak admin UI to listen on different port than the IAM services?
My primay goal is to restrict access to admin just from dedicated ip addresses, and allow access to ...
0
votes
0
answers
491
views
Getting IDENTITY_PROVIDER_LOGIN_ERROR with keycloak, OAuth authentication with Github, "federatedIdentityModel" is null
I am running KeyCloak as one of the services in a K3s cluster to provide identity management for another service on the cluster, both of which is behind Ngnix. After deleting Github(the initial ...
0
votes
1
answer
167
views
How to manage keycloak using git-ops for multiple environment
We are currently using keycloak for a very simple usecase that enables the Oauth2 client credential grants for sets of Apis behind nginx ingress controller on kubernetes.
Keycloak works well, as we ...
0
votes
0
answers
149
views
Apache Ranger vs Keycloak for authorization
Iam new to both Apache Ranger and Keycloak. When I was doing my research I understood that, Apache ranger and Keycloak both has the authoirzation capabilites, added keycloak has authentication ...
0
votes
1
answer
629
views
Cannot access keycloak UI using other hostname besides localhost on port: 8089, using other ports is Ok
I am trying to run keycloak in 8089 port,
if I start the docker container in that port I can access the keycloak ui from: http://localhost:8089/
but I cannot access it using the keycloak hostname (...
0
votes
0
answers
324
views
Keycloak is automatically changing certificate
I'm using Keycloak Quay 22.0.3 with docker-compose behind a Nginx reverse proxy but I have some troubles due an automatic replace of my certificate generated with certbot.
My certificate generated ...
0
votes
0
answers
616
views
Multiple Kerberos Providers in Keycloak
I have a Keycloak with 2 different LDAP Providers which include Kerberos Authentication.
Provider A is on first priority, provider B on second priority. Both provider settings provide their different ...
0
votes
0
answers
726
views
How to scrape Prometheus secured with OAuth2-proxy and Keycloak
I have 2 prometheuses, both are with forward-auth via the oauth2-proxy, which have the same client credentials in a single keycloak.
I would like one prometheus to federate the other one. This is my ...
0
votes
1
answer
648
views
Can I use keycloak as an Idp for kibana installed using the ElasticSearch Operator in kubernetes?
I have setup a kubernetes cluster in a private network and I'm using a gateway machine for accessing the cluster. In the kubernetes cluster I have installed the elasticsearch operator and through that ...
0
votes
0
answers
652
views
Upgrade to KeyCloak 18 fails
I have a KeyCloak 17.0.1 that is apparently working without issues on my server, configured to use MariaDB. I say "apparently" because, as of today, it's not in production yet, albeit it ...
0
votes
0
answers
4k
views
Conteinerized Keycloak behind Nginx reverse proxy requests localhost
Working setup
I have a configuration of
external VPS with public IP that has Nginx reverse proxy (A)
internal server with Nginx (B)
standalone application (not containerized) Keycloak 17.0.1
Which ...
0
votes
0
answers
3k
views
next-auth ECONNREFUSED 127.0.0.1:80
I am using Next-auth with keycloak and docker-compose and I get this error:
[next-auth][error][GET_AUTHORIZATION_URL_ERROR]
arcade-iori | https://next-auth.js.org/errors#...
0
votes
2
answers
1k
views
Wildfly standalone.xml - passing secret to KeyCloak SPI from elytron credential store
I'm migrating KeyCloak v15 (WildFly v23) passwords from the old vault to elytron credential store. It works fine for the standard use case. In standalone.xml, I have:
/server/extensions/extension:
<...
0
votes
1
answer
896
views
Unable to use service account to get userinfo for Keycloak 12.0.4
I am running keycloak version 12.0.4.
Previously when I was running version 11.0.2.
I am able to use my service account and call the endpoint {{KEYCLOAK_URL}}/auth/realms/{{REALM}}/protocol/openid-...
0
votes
1
answer
942
views
GLPI appending :80 to CAS Callback URL
Problem:
GLPI is appending :80 to the callback URL for CAS authentication using Keycloak. After logging in successfully on Keycloak, user gets redirected to the GLPI URL which containers :80 in the ...
0
votes
1
answer
559
views
JBPM KIE Server Token Based Authentication
I have successfully installed and configured JBPM 7.40.0 and Keycloak 11.0.0 on the same server instance as per the documentation . I can succesfully do GET http://myserver/kie-server/services/rest/...
-1
votes
1
answer
1k
views
Keycloak 16 - can it log OIDC access tokens for Open-ID Connect identity providers?
How can I make Keycloak 16 log the access token, when using an Open-ID Connect identity provider? I need to see what claims the OIDC provider sends to Keycloak.