Keycloak created user enabled - keycloak

I am using keycloak 4.8.3 Final for my project. I have been reading keycloak documentation for 6 days.
I am using keycloak registration page. When i register, user always enabled, but in my scenario admin has to enable created user. I do not know why but i can not find it in keycloak documantation. I tried to change register flow but nothing change.

I found that we can't change this in 4.8.3 Final version. You can change java code and rebuild it, or you can use REST API.

Related

User Authentication for flutter web using OpenID Connect? (-> KeyCloak)?

I'm currently working on a flutter/dart-based webpage (not an app). Now I came to the point that I want the web page to open only if the user has authenticated on my cloud-based Keycloak Server (cloud-iam.com).
There are some openid-connect client packages for flutter available, but most only work for google firebase/aws.. and some others are only working for apps, others are already outdated.
For now, I simply want to use the login frontend offered by the keycloak server.
But I totally failed to bring the available openidc packages to a success... :-(
Does anyone have a suitable package and a reference flutter/dart-application how to authenticate a user using an oidc-identity provider (i.e. keycloak?)
Thanks!
You can try keycloak_flutter package which handles keycloak user authentication for the flutter web only
https://pub.dev/packages/keycloak_flutter
As per this package example
https://github.com/gibahjoe/keycloak_flutter/tree/master/example
you can provide you keycloak realm and clientid details, it'll navigate to your keycloak server for login authentication after that you can allow your app to use the token details provided after login

Guacamole logout function does not logout of web broswer

I am having issue with Guacamole server where I cannot logout of the web session once I am logged in. We use Keycloak for identity management and Guacamole server for RDP sessions. The versions on both application is fairly latest but had this issue for long time since the inception. Search google but unable to find any fix however there are people who already experienced similar issue. Apart from logout issue everything functions without any issue. Couple of errors I can see on the browser is shown below:
RROR on browser:
{
"message":"Session not associated with authentication provider \"openid\".",
"translatableMessage":{
"key":"APP.TEXT_UNTRANSLATED",
"variables":{
"MESSAGE":"Session not associated with authentication provider \"openid\"."
}
},
"statusCode":null,
"expected":null,
"type":"NOT_FOUND"
}
I think, I have found what is the reason for not working Guacamole logout - it is Keycloak SSO. It uses cookies for keeping users logged in.
What you need to do:
Go to the realm -> Authentication -> Flows -> Choose the flow you use from the drop-down list, usualy it is "brwoser" or clone of it -> Authentication type "Cookies" set to Disabled.
If you need to keep SSO - limit time in the Realm settings.
Try now.

Default custom realm in keycloak

Our team is working on a project that integrates into Keycloak. We created a custom realm, say ProjectX and enable our custom theme on it to be applied in the login page of Keycloak.
Since our theme is applied on the realm ProjectX and not in master, then how can we default the custom realm to be displayed(with the theme) when we first access the keycloak login page?
Not sure which project you are building and how you are configure keycloak in your ProjectX project. Ok lets ignore all these thing and see how we generally browse keycloak .We Simply hit https://<IP ADDRESS>:<PORT>/auth then it will show some link and we click to Administration Console and it will redirect to MASTER realm url.
Which look like this https://<IP ADDRESS>:<PORT>/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2F135.250.138.93%3A8666%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F%3Fredirect_fragment%3D%252Frealms%252Fbasic-auth%252Ftheme-settings&state=47381ff9-eb03-4419-bac3-8824d57f9c0d&nonce=be95ef5a-0737-49a3-be0b-4577f7a050ae&response_mode=fragment&response_type=code&scope=openid
Now in your case you want to access the url for particular realm and not default(Master) realm,So here is the Solution hit below url.
https://<IP ADDRESS>:<PORT>/auth/realms/<REALM-NAME>/account
But make sure you created user for your realm and give proper rights to particular user.

SSO with keycloak

We are considering to use the keycloak as our SSO framework.
According to the keycloak documentation for multi-tenancy support the application server should hold all the keycloak.json authentication files, the way to acquire those files is from the keycloak admin, is there a way to get them dynamically via API ? or at least to get the realm public key ? we would like to avoid to manually add this file for each realm to the application server (to avoid downtime, etc).
Another multi-tenancy related question - according to the documentation the same clients should be created for each realm, so if I have 100 realms and 10 clients, I should define the same 10 clients 100 times ? is there an alternative ?
One of our flows is backend micro-service that should be authenticated against an application (defined as keycloak client), we would like to avoid keeping user/psw on the server for security reasons, is there a way that an admin can acquire a token and place it manually on the server file system for that micro service ? is there a option to generate this token in the keycloak UI ?
Thanks in advance.
All Keycloak functionality is available via the admin REST API, so you can automate this. The realm's public key is available via http://localhost:8080/auth/realms/{realm}/
A realm for each tenant will give a tenant-specific login page. Therefore this is the way to go - 10 clients registered 100 times. See more in the chapter Client Registration of the Keycloak documentation. If you don't need specific themes, you can opt to put everything in one realm, but you will lose a lot of flexibility on that path.
If your backend micro service should appear like one (technical) user, you can issue an offline token that doesn't expire. This is the online documentation for offline tokens. Currently there is no admin functionality to retrieve an offline token for a user by an admin. You'll need to build this yourself. An admin can later revoke offline tokens using the given admin API.

How can I enable login button of identity provider (external) on SP login page

I am using WSO2 Identity server product version 5.0.0. I use SP1. In our latest architecture we use a specific login page for each service provider. Each service provider can be configured under different tenant domains, eventually with differences (for an example, for a tenant is configured the internal and the facebook login but for another tenant just the internal login).
I want to know if it is possible to visualize on the login page the external Identity provider login button according to the Service provider configuration under the specific tenant domain. Please help me to solve this, I am stuck on this advance configuration. I could not find any documents for this.
Yes, according to my knowledge your requirement is possible with WSO2-IS.
Please refer document [1] for Customizing the login page for SAML SSO service providers.
And you can get more custom configuration details using this blog as well. [2]
Also if you need to re-theming wso2 management console, that also possible with WSO2-IS. Please find the reference document [3].
[1]https://docs.wso2.com/display/IS500/Customizing+Login+Pages
[2]http://dulanja.blogspot.com/2014/01/wso2-is-samlsso-customizing-login-page.html
[3]http://wso2.com/library/tutorials/2011/12/retheming-carbon-products/