Skip to main content

Questions tagged [keycloak]

Integrated Single Sign On (SSO) and Identity Manager (IDM) for browser apps and RESTful web services. Built on top of JBoss / Wildfly and complies with OAuth 2.0, Open ID Connect, JSON Web Token (JWT) and SAML 2.0 specifications.

Filter by
Sorted by
Tagged with
6 votes
2 answers
16k views

KEYCLOAK + MYSQL + DOCKER --> Failed to start

I am trying to start a Keycloak instance which uses a custom mysql database instead of the embedded H2. Since I am planning to use docker, I created a network for Keyclock docker to communicate with ...
Renjith's user avatar
  • 111
3 votes
0 answers
1k views

Keycloak login error destination_invalid

I'm currently trying to set up keycloak to provide single sign on to a nextcloud and gitlab instance. All three services are running inside a docker compose network with an nginx server as proxy to ...
Shelling's user avatar
  • 131
2 votes
2 answers
41k views

How to get the client-id and client-secret from keycloak?

For a web application I need the client-id and client-secret from Keycloak. How can I access these in the web interface?
sm-a's user avatar
  • 23
2 votes
1 answer
182 views

Invalid keycloak URL error when installing alfresco-dbp with helm in Kubernetes on AWS

I'm currently trying to deploy Alfresco Content Services on AWS following this guide. I got as far as to "Creating File Storage for Alfresco Content Services Community" where I have to create an EFS ...
Felix Engelmann's user avatar
2 votes
1 answer
1k views

Logging username in KeyCloak access-log

In KeyCLoak 15.0 (that is WildFly 23.0), I’m trying to configure access-log to also include username (or any ID of the user) when a user is logged in. In keycloak/standalone/configuration/standalone....
McLayn's user avatar
  • 193
2 votes
2 answers
3k views

How can I resolve "SAML Providers must reference at least one SAML assertion issuer" message?

I want to setup a SSO solution using Keycloak 10.0.2 as the Identity Provider. The first application I want to setup is AWS. I followed this tutorial to enable Keycloak to sign me in using SAML. I ...
user540468's user avatar
2 votes
1 answer
3k views

Howto traefik->keycloak gatekeeper->service?

My question is: Specifically, how do I configure traefik to double proxy through keycloak gatekeepr to authenticate my services as outlined below? I know my authentication chain looks like the ...
Karl N. Redman's user avatar
2 votes
0 answers
559 views

Can't get Keycloak to add new users/groups to OpenLDAP

I've been banging my head against the wall for two days on this one now. I have setup fresh Keycloak and OpenLDAP instances, and I want to use OpenLDAP as the source of truth for all user data. I want ...
Dominic P's user avatar
  • 497
2 votes
0 answers
444 views

Keycloak takes a long time to wake up if unused during a day or more

I installed Keycloak with a docker compose, behind an NGINX reverse proxy. Keycloack is only installed now for testing. When I stop using it for a days or more, next time I have a "Request Time-out" ...
Tom DARBOUX's user avatar
1 vote
1 answer
710 views

Keycloak w/ EKS + ALB (401 after auth)

I’m currently trying to get Keycloak to run in EKS behind ALB and for the life of me, I can’t get it to work. I get the redirect to a login screen and after I log in - I instantly get presented with ...
iotanum's user avatar
  • 21
1 vote
0 answers
1k views

SSO not working between a browser and a Keycloak using an user federation with kerberos integration to a windows AD

I am trying to get SSO working using a browser(Chrome or firefox) and keycloak configured with an user federation AD Domain(kerberos is configured). First I present the overview of what I have and ...
Afonso R.'s user avatar
1 vote
1 answer
1k views

HAProxy deny HTTP request on path_beg not matching

I have a HAProxy node in front of a Keycloak node. I want to only expose the API needed to serve the users (not the Admin panel) I have the following on my haproxy.cfg frontend block frontend haproxy-...
desertSniper87's user avatar
1 vote
0 answers
1k views

Wrong redirect_uri on keycloak

I am trying to use keycloak to authenticate my service that are provided in a tomcat 8 docker by following https://github.com/keycloak/keycloak-documentation/blob/main/securing_apps/topics/oidc/java/...
Winter's user avatar
  • 141
1 vote
0 answers
779 views

Keycloak: Difference between Authentication sessions and User Sessions

I was going through the documentation https://www.keycloak.org/docs/latest/server_installation/#cache Here they have described different types of caches. I didn't quite understand the definitions they ...
MrRobot9's user avatar
  • 123
1 vote
0 answers
335 views

Indirect Group Membership with Keycloak and oauth2-proxy

I'm using oauth2-proxy/oauth2-proxy with Keycloak-oidc provider for authentication for some pods in my Kubernetes cluster. I can specify which groups are allowed to access a resource using the --...
cclloyd's user avatar
  • 613
1 vote
0 answers
277 views

JBoss: How does <stacks> in the standalone-ha.xml work?

This file contains the usual Keycloak server configuration with the addition of WildFly10 High Availability extensions like Infinispan HA cache and JGroups HA communication channels and their ...
MrRobot9's user avatar
  • 123
1 vote
1 answer
2k views

Keycloak install with helm on GKE with Cloud SQL (external) database

I'm trying to install keycloak on GKE cluster in GCP with external database, i.e. CloudSQL postrges db. I want to use helm to install it, so: helm repo add bitnami https://charts.bitnami.com/bitnami ...
Michał Z's user avatar
1 vote
1 answer
224 views

graviteeio - management-rest-api oauth role mappings

Gravitee manager can be configured with keycloak authentication as described here. They state in their documentation, that role mapping could be addressed on their gravitee.yml configuration: security:...
Patricio's user avatar
1 vote
1 answer
1k views

Unable to add users from Keycloack on FreeIPA via LDAP although Keycloack host has permissions set in FreeIPA

I have the following setup: FreeIPA 4.8.7 via docker (freeipa/freeipa-server:centos-8) Keycloack 12.0.1 The FreeIPA users are in cn=users,cn=accounts,dc=freeipa,dc=example,dc=com Keycloack DN: ...
sschueller's user avatar
0 votes
1 answer
605 views

How to map internal OIDC group to external K8s cluster roles

I have successfully connected my K8s cluster + dashboard to my Keycloak server, now i have asked myself the question: I have followed these instructions here. Furthermore I also made the appropriate ...
ZPascal's user avatar
  • 143
0 votes
2 answers
569 views

Client that can manage users in Keycloak 23+

I need to authorize my application (named "Logic" from now on) to manage users of a Keycloak realm. "Logic" already authenticates itself against that realm with a client ...
Lucio Crusca's user avatar
0 votes
2 answers
495 views

fail2ban on host for rootless podman keycloak container

running on Rocky Linux 9.2 with podman 4.4.1. I got a podman Pod with keycloak + postgresql inside, running rootless. The pod itself with --network 'slirp4netns:port_handler=slirp4netns'. The keycloak ...
Leo's user avatar
  • 141
0 votes
1 answer
461 views

Keycloak Docker fails to start due to "Negative Delay." Error

Running a keycloak container (21.0 - 21.1.1) on a Debian 11 Bullseye recently stopped working after host restart (MariaDB didn't start up, leading to keycloak also exiting. When the issue was noticed ...
Simon's user avatar
  • 103
0 votes
1 answer
117 views

Why does embedding KeyCloak into a another stack using requirements.yaml fail?

I ran into a really weird issue when using https://github.com/codecentric/helm-charts/tree/master/charts/keycloak to set up keycloak on k8s: Using this helmchart and setting it up directly works ...
Peter's user avatar
  • 11
0 votes
0 answers
23 views

"scope" field in bearer token with OAuth2-proxy

I configured oauth2-proxy for authentication for one of my applications. My application checks the scopes to determine access to resources. I am successfully able to send the bearer token requested by ...
mirawara's user avatar
0 votes
0 answers
251 views

FreeIPA, Keycloak and Radius with OTP used for Wifi, VPN and Docker registry auth result in logging in hell

we have configured our infrastructure to use FreeIPA for user database, keycloak as SSO auth and Radius as auth proxy. We use everywhere password + OTP policy. We have several apps connected to ...
Broskev's user avatar
  • 37
0 votes
0 answers
100 views

OpenStack - Keycloak SSO oidc mapping

I'm trying to set up SSO for OpenStack, through Keycloak, via OpenID. If I use the example mapping from the OpenStack documentation, it works fine. However, I want to have a different setup, and would ...
AlexP's user avatar
  • 1
0 votes
1 answer
62 views

Recursive keycloak broker throwing a cookie exception

I am trying to setup following transitive architecture: (A) Keycloak as a user federation on AD (B) Keycloak as a broker for Keycloak (A) (C) Keycloak as a broker for Keycloak (B) connected to some ...
Navif's user avatar
  • 1
0 votes
0 answers
74 views

Windows11: How do I find out exactly where SAML-WebLogIn on Windows fails after redirect back to Windows?

I managed to enable federated Logins for our Microsoft tenant so that if you login to, say, office.com and enter your username (e.g. "[email protected]") you're then redirected to our Keycloak ...
Rhywden's user avatar
  • 101
0 votes
1 answer
1k views

Keycloak Integration with a Linux Server

I've set up a Keycloak server and I'm working on integrating it with a Linux server to allow users from Keycloak to authenticate into the Linux server using their Keycloak credentials. Ideally, I'd ...
Tisighe Livinstone's user avatar
0 votes
0 answers
135 views

Configure keycloak admin UI to listen on different port than the IAM services?

Is there a way to configure keycloak admin UI to listen on different port than the IAM services? My primay goal is to restrict access to admin just from dedicated ip addresses, and allow access to ...
g.pickardou's user avatar
0 votes
0 answers
491 views

Getting IDENTITY_PROVIDER_LOGIN_ERROR with keycloak, OAuth authentication with Github, "federatedIdentityModel" is null

I am running KeyCloak as one of the services in a K3s cluster to provide identity management for another service on the cluster, both of which is behind Ngnix. After deleting Github(the initial ...
Lois's user avatar
  • 1
0 votes
1 answer
167 views

How to manage keycloak using git-ops for multiple environment

We are currently using keycloak for a very simple usecase that enables the Oauth2 client credential grants for sets of Apis behind nginx ingress controller on kubernetes. Keycloak works well, as we ...
user2501711's user avatar
0 votes
0 answers
149 views

Apache Ranger vs Keycloak for authorization

Iam new to both Apache Ranger and Keycloak. When I was doing my research I understood that, Apache ranger and Keycloak both has the authoirzation capabilites, added keycloak has authentication ...
pacman's user avatar
  • 101
0 votes
1 answer
629 views

Cannot access keycloak UI using other hostname besides localhost on port: 8089, using other ports is Ok

I am trying to run keycloak in 8089 port, if I start the docker container in that port I can access the keycloak ui from: http://localhost:8089/ but I cannot access it using the keycloak hostname (...
Game dev's user avatar
  • 101
0 votes
0 answers
324 views

Keycloak is automatically changing certificate

I'm using Keycloak Quay 22.0.3 with docker-compose behind a Nginx reverse proxy but I have some troubles due an automatic replace of my certificate generated with certbot. My certificate generated ...
Alessio Raddi's user avatar
0 votes
0 answers
616 views

Multiple Kerberos Providers in Keycloak

I have a Keycloak with 2 different LDAP Providers which include Kerberos Authentication. Provider A is on first priority, provider B on second priority. Both provider settings provide their different ...
Lithilion's user avatar
  • 131
0 votes
0 answers
726 views

How to scrape Prometheus secured with OAuth2-proxy and Keycloak

I have 2 prometheuses, both are with forward-auth via the oauth2-proxy, which have the same client credentials in a single keycloak. I would like one prometheus to federate the other one. This is my ...
simonszu's user avatar
  • 373
0 votes
1 answer
648 views

Can I use keycloak as an Idp for kibana installed using the ElasticSearch Operator in kubernetes?

I have setup a kubernetes cluster in a private network and I'm using a gateway machine for accessing the cluster. In the kubernetes cluster I have installed the elasticsearch operator and through that ...
user2835131's user avatar
0 votes
0 answers
652 views

Upgrade to KeyCloak 18 fails

I have a KeyCloak 17.0.1 that is apparently working without issues on my server, configured to use MariaDB. I say "apparently" because, as of today, it's not in production yet, albeit it ...
Lucio Crusca's user avatar
0 votes
0 answers
4k views

Conteinerized Keycloak behind Nginx reverse proxy requests localhost

Working setup I have a configuration of external VPS with public IP that has Nginx reverse proxy (A) internal server with Nginx (B) standalone application (not containerized) Keycloak 17.0.1 Which ...
hrust's user avatar
  • 101
0 votes
0 answers
3k views

next-auth ECONNREFUSED 127.0.0.1:80

I am using Next-auth with keycloak and docker-compose and I get this error: [next-auth][error][GET_AUTHORIZATION_URL_ERROR] arcade-iori | https://next-auth.js.org/errors#...
Crisgarlez's user avatar
0 votes
2 answers
1k views

Wildfly standalone.xml - passing secret to KeyCloak SPI from elytron credential store

I'm migrating KeyCloak v15 (WildFly v23) passwords from the old vault to elytron credential store. It works fine for the standard use case. In standalone.xml, I have: /server/extensions/extension: <...
McLayn's user avatar
  • 193
0 votes
1 answer
896 views

Unable to use service account to get userinfo for Keycloak 12.0.4

I am running keycloak version 12.0.4. Previously when I was running version 11.0.2. I am able to use my service account and call the endpoint {{KEYCLOAK_URL}}/auth/realms/{{REALM}}/protocol/openid-...
shadow's user avatar
  • 101
0 votes
1 answer
942 views

GLPI appending :80 to CAS Callback URL

Problem: GLPI is appending :80 to the callback URL for CAS authentication using Keycloak. After logging in successfully on Keycloak, user gets redirected to the GLPI URL which containers :80 in the ...
retr0's user avatar
  • 119
0 votes
1 answer
559 views

JBPM KIE Server Token Based Authentication

I have successfully installed and configured JBPM 7.40.0 and Keycloak 11.0.0 on the same server instance as per the documentation . I can succesfully do GET http://myserver/kie-server/services/rest/...
Khetho Mtembo's user avatar
-1 votes
1 answer
1k views

Keycloak 16 - can it log OIDC access tokens for Open-ID Connect identity providers?

How can I make Keycloak 16 log the access token, when using an Open-ID Connect identity provider? I need to see what claims the OIDC provider sends to Keycloak.
Lars D's user avatar
  • 272