Keycloak Blog

standardize an interface for public-key authentication of users to web-based applications and services. · yes

darkMode=false
--features-disabled="persistent-user-sessions"
--features="clusterless"
--features-disabled="persistent-user-sessions"
--features="cache-embedded-remote-store"
--features-disabled="persistent-user-sessions"
--features="multi-site"
--features="multi-site,clusterless"
--features-disabled="persistent-user-sessions"
bin/kc.[sh|bat] build --features-disabled="persistent-user-sessions"
bin/kc.[sh|bat] build --features="clusterless" --features-disabled="persistent-user-sessions"
bin/kc.[sh|bat] build --features="cache-embedded-remote-store" --features-disabled="persistent-user-sessions"
bin/kc.[sh|bat] build --features="multi-site"
bin/kc.[sh|bat] build --features="multi-site,clusterless" --features-disabled="persistent-user-sessions"
docker run --name kc-orgs -d -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin -p 8080:8080 quay.io/keycloak/keycloak start-dev --features organization
"organization": {
    "orga": {}
}
bin/kc.[sh|bat] [start-dev|build|start] --features="persistent-user-sessions"
KC_FEATURES=persistent-user-sessions
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: example-kc
spec:
  features:
    enabled:
      - persistent-user-sessions
...
bin/kc.sh build --features=persistent-user-session ...
SELECT * from migration_model WHERE version = '999.0.0';
UPDATE migration_model SET version = '24.0.0' WHERE version = '999.0.0';
spec:
  truststores:
    mystore:
      secret:
        name: mystore-secret
    myotherstore:
      secret:
        name: myotherstore-secret
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: example-kc
spec:
  ...
  cache:
    configMapFile:
      name: my-configmap
      key: config.xml
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: example-kc
spec:
  ...
  resources:
    requests:
      cpu: 1200m
      memory: 896Mi
    limits:
      cpu: 6
      memory: 3Gi
git commit -s -m "Description of the commit"
SELECT DISTINCT U.ID, U.USERNAME, U.EMAIL, U.REALM_ID FROM USER_ENTITY U
    INNER JOIN USER_ATTRIBUTE UA ON U.ID = UA.USER_ID
    WHERE UA.NAME IN ('password','password-confirm')
DELETE FROM USER_ATTRIBUTE UA WHERE UA.NAME IN ('password','password-confirm')
SELECT DISTINCT USER_ID,REALM_ID,STORAGE_PROVIDER_ID FROM FED_USER_ATTRIBUTE
    WHERE NAME IN ('password','password-confirm')
DELETE FROM FED_USER_ATTRIBUTE UA WHERE UA.NAME IN ('password','password-confirm')
bin/kc.sh start-dev --features=account3
<dependency>
    <groupId>org.keycloak</groupId>
    <artifactId>keycloak-policy-enforcer</artifactId>
    <version>21.1.0</version>
</dependency>
bin/kc.sh start-dev --storage=chm
bin/kc.sh start-dev --storage=jpa --db-url=<jdbc-url> --db-username=<username> --db-password=<password>
bin/kc.sh start-dev --storage=hotrod --storage-hotrod-host=<host> --storage-hotrod-port=11222 --storage-hotrod-username=<username> --storage-hotrod-password=<password>
bin/kc.sh start-dev --storage=jpa \
  --db-url=<jdbc-url> --db-username=<username> --db-password=<password> \
  --storage-hotrod-host=<host> --storage-hotrod-port=<port> \
  --storage-hotrod-username=<username> --storage-hotrod-password=<password> \
  --storage-area-action-token=hotrod \
  --storage-area-auth-session=hotrod \
  --storage-area-single-use-object=hotrod \
  --storage-area-user-session=hotrod
bin/jboss-cli.sh --connect
/subsystem=undertow/configuration=filter/expression-filter=keycloakPathOverrideUsersCreateEndpoint:add( \
  expression="(regex('^/auth/admin/realms/(.*)/users$') and method(POST))-> response-code(400)" \
)
/subsystem=undertow/server=default-server/host=default-host/filter-ref=keycloakPathOverrideUsersCreateEndpoint:add()
sudo yum install -y https://github.com/apache/apisix/releases/download/2.7/apisix-2.7-0.x86_64.rpm
make init
apisix start
docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=password -e DB_VENDOR=h2  -d jboss/keycloak:9.0.2
docker ps
curl  -XPOST 127.0.0.1:9080/apisix/admin/routes -H "X-Api-Key: edd1c9f034335f136f87ad84b625c8f1" -d '{
    "uri":"/*",
    "plugins":{
        "openid-connect":{
            "client_id":"apisix",
            "client_secret":"d5c42c50-3e71-4bbe-aa9e-31083ab29da4",
            "discovery":"http://127.0.0.1:8080/auth/realms/apisix_test_realm/.well-known/openid-configuration",
            "scope":"openid profile",
            "bearer_only":false,
            "realm":"apisix_test_realm",
            "introspection_endpoint_auth_method":"client_secret_post",
            "redirect_uri":"http://127.0.0.1:9080/"
        }
    },
    "upstream":{
        "type":"roundrobin",
        "nodes":{
            "httpbin.org:80":1
        }
    }
}'
kc.sh --help
kc.sh start-dev
kc.sh --http-port=8180
kc.sh config --db=postgres --db-username=******* --db-password=*******
Kc.sh # then start the server
keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore
kc.sh
kc.sh config --db=postgres && kc.sh --db-username=**** --db-password=****
kc.sh --db-url=jdbc:postgresql://<host>/<database> \
      --db-username=****** \
      --db-password=******
kc.sh -Dkc.db.url.host=<host> \
      -Dkc.db.url.database=<database>
      --db-username=******
      --db-password=******
kc.sh --cluster=local
kc.sh -Djgroups.dns.query=<jgroups-ping-service>.<namespace>.<cluster-domain-suffix> --cluster-stack=kubernetes
kc.sh config
kc.sh # then start the server
docker run --name keycloak -p 8080:8080  \
    -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=change_me \
    quay.io/keycloak/keycloak-x \
    start-dev
docker run --name keycloak -p 8080:8080 \
    -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=change_me \
    quay.io/keycloak/keycloak-x \
    --auto-config \
    --db=postgres -Dkc.db.url.host=$DB_HOST --db-username=keycloak --db-password=change_me --http-enabled=true
body {
  --pf-global--FontFamily--sans-serif: Comic Sans MS;
  --pf-global--FontFamily--heading--sans-serif: Comic Sans MS;
  --pf-global--BackgroundColor--dark-100: #2B9AF3;
  --pf-global--Color--100: #004080;
}
initialize_sql
remove_old_coords_on_view_change
remove_all_data_on_view_change
info_writer_sleep_time
info_writer_max_writes_after_view
FROM jboss/keycloak:latest

ADD cli/TCPPING.cli /opt/jboss/tools/cli/jgroups/discovery/
ADD cli/JDBC_PING.cli /opt/jboss/tools/cli/jgroups/discovery/

#IP address of this host, please make sure this IP can be accessed by the other Keycloak instances
JGROUPS_DISCOVERY_EXTERNAL_IP=172.21.48.39
#protocol
JGROUPS_DISCOVERY_PROTOCOL=TCPPING
#IP and Port of all host
JGROUPS_DISCOVERY_PROPERTIES=initial_hosts="172.21.48.4[7600],172.21.48.39[7600]"

#IP address of this host, please make sure this IP can be accessed by the other Keycloak instances
JGROUPS_DISCOVERY_EXTERNAL_IP=172.21.48.39
#protocol
JGROUPS_DISCOVERY_PROTOCOL=JDBC_PING

oc new-project keycloak

oc replace --force -f "https://raw.githubusercontent.com/jboss-dockerfiles/keycloak"\
"/master/openshift-examples/keycloak-https.json"

npm install -g @ssilvert/keycloak-schematic
ng new myApp
cd myApp
ng generate keycloak --collection @ssilvert/keycloak-schematic --clientId=myApp

ng serve
./standalone.sh(bat)

<html>
<head>
    <title>My awesome landing page</title>
</head>
 <body>
   <h2>Landing page</h2>
   <a href="/products">My products</a>
 </body>
</html>


@Controller
class ProductController {

   @Autowired ProductService productService;

   @GetMapping(path = "/products")
   public String getProducts(Model model){
      model.addAttribute("products", productService.getProducts());
      return "products";
   }

   @GetMapping(path = "/logout")
   public String logout(HttpServletRequest request) throws ServletException {
      request.logout();
      return "/";
   }
}

@Component
class ProductService {
   public List<String> getProducts() {
      return Arrays.asList("iPad","iPod","iPhone");
   }
}

<#import "/spring.ftl" as spring>
<html>
<h2>My products</h2>
<ul>
<#list products as product>
    <li>$amp{product}</li>
</#list>
</ul>
<p>
    <a href="/logout">Logout</a>
</p>
</html>

keycloak.auth-server-url=http://localhost:8080/auth
keycloak.realm=springboot
keycloak.public-client=true
keycloak.resource=product-app

keycloak.security-constraints[0].authRoles[0]=user
keycloak.security-constraints[0].securityCollections[0].patterns[0]=/products/*
server.port=8081

mvn clean spring-boot:run

<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-security</artifactId>
</dependency>

@Configuration
@EnableWebSecurity
@ComponentScan(basePackageClasses = KeycloakSecurityComponents.class)
 class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter
{
   /**
    * Registers the KeycloakAuthenticationProvider with the authentication manager.
    */
   @Autowired
   public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
      KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
      keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
      auth.authenticationProvider(keycloakAuthenticationProvider);
   }

   @Bean
   public KeycloakConfigResolver KeycloakConfigResolver() {
      return new KeycloakSpringBootConfigResolver();
   }

   /**
    * Defines the session authentication strategy.
    */
   @Bean
   @Override
   protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
      return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
   }

   @Override
   protected void configure(HttpSecurity http) throws Exception
   {
      super.configure(http);
      http
            .authorizeRequests()
            .antMatchers("/products*").hasRole("user")
            .anyRequest().permitAll();
   }
}


keycloak.principal-attribute=preferred_username

@GetMapping(path = "/products")
public String getProducts(Principal principal, Model model){
   model.addAttribute("principal",principal);
   model.addAttribute("products", productService.getProducts());
   return "products";
}

<#import "/spring.ftl" as spring>
<html>
<h2>Hello $amp{principal.getName()}</h2>
<ul>
<#list products as product>
    <li>$amp{product}</li>
</#list>
</ul>
<p>
    <a href="/logout">Logout</a>
</p>
</html>

Problem description	Possible solution
The initialization SQL needs to be adjusted	In this case, you might want to look at `initialize_sql` JDBC_PING property
When Keycloak crashes, the database is not cleared	Turn `remove_old_coords_on_view_change` property on
When Keycloak crashes, the database is not cleared	Also, when a cluster is not too large, you may turn the `remove_all_data_on_view_change` property on
Sometimes, Keycloak doesn't write its data into the database	You may lower the `info_writer_sleep_time` and `info_writer_max_writes_after_view` property values

Keycloak Blog

Keycloak 26.2.0 released

Highlights

Supported Standard Token Exchange

Fine-grained admin permissions supported

Guides for metrics and Grafana dashboards

Zero-configuration secure cluster communication

Rolling updates for optimized and customized images

Additional query parameters in Admin Events API

Logs support ECS format

New cache for CRLs loaded for the X.509 authenticator

Operator creates NetworkPolicies to restrict traffic

Option to reload trust and key material for the management interface

Dynamic Authentication Flow selection using Client Policies

JWT Client authentication aligned with the latest OIDC specification

Federated credentials are available now when fetching user credentials

Token based authentication for SMTP (XOAUTH2)

New client configuration for access token header type

OpenID for Verifiable Credential Issuance documentation

Upgrading

All resolved issues

New features

Enhancements

Bugs

Keycloak 26.1.5 released

Upgrading

All resolved issues

Enhancements

Bugs

Translating Keycloak with Weblate

Translate using Weblate

Translate using GitHub pull requests

Join the discussion and read up on the process

Register now for KubeCon Japan in June

Talks at KubeCon

Submit to KeycloakCon Japan Call-for-Papers!

Related Events

Keycloak 26.1.4 released

Upgrading

All resolved issues

Enhancements

Bugs

Meet Keycloak at KubeCon EU, London in April 2025

Keycloak community Meet & Greet at the Project Pavilion

Presenting evolving OpenID Connect and Keycloak Observability

Related Talks

See you soon!

Introducing the Keycloak Austria User Group

Keycloak 26.1.3 released

Highlights

Send Reset Email force login again for federated users after reset credentials

Upgrading

All resolved issues

Bugs

New videos about OpenID Connect and Keycloak from FOSDEM 2025

Meeting the Keycloak community on-site

Videos to re-watch

FOSDEM is all about devrooms!

Keycloak JS 26.2.0 released

Highlights

Upgrading

Keycloak Extensions show GitHub stars

Keycloak 26.1.2 released

Upgrading

All resolved issues

Deprecated features

Enhancements

Bugs

Keycloak 26.1.1 released

Highlights

New option in X.509 authenticator to abort authentication if CRL is outdated

New option in Send Reset Email to force a login after reset credentials

Upgrading

All resolved issues

Enhancements

Bugs

Keycloak Client Libraries 26.0.4 released

Upgrading

All resolved issues

Enhancements

Transport stack `jdbc-ping` as new default

New conditional authenticators `Condition - sub-flow executed` and `Condition - client scope`