Keycloak features and concepts

Keycloak is a single sign on solution for web apps and RESTful web services. The goal of Keycloak is to make security simple so that it is easy for application developers to secure the apps and services they have deployed in their organization. Security features that developers normally have to write for themselves are provided out of the box and are easily tailorable to the individual requirements of your organization. Keycloak provides customizable user interfaces for login, registration, administration, and account management. You can also use Keycloak as an integration platform to hook it into existing LDAP and Active Directory servers. You can also delegate authentication to third party identity providers like Facebook and Google.

Features

Keycloak provides the following features:

  • Single-Sign On and Single-Sign Out for browser applications.

  • OpenID Connect support.

  • OAuth 2.0 support.

  • SAML support.

  • Identity Brokering - Authenticate with external OpenID Connect or SAML Identity Providers.

  • Social Login - Enable login with Google, GitHub, Facebook, Twitter, and other social networks.

  • User Federation - Sync users from LDAP and Active Directory servers.

  • Kerberos bridge - Automatically authenticate users that are logged-in to a Kerberos server.

  • Admin Console for central management of users, roles, role mappings, clients and configuration.

  • Account Console that allows users to centrally manage their account.

  • Theme support - Customize all user facing pages to integrate with your applications and branding.

  • Two-factor Authentication - Support for TOTP/HOTP via Google Authenticator or FreeOTP.

  • Login flows - optional user self-registration, recover password, verify email, require password update, etc.

  • Session management - Admins and users themselves can view and manage user sessions.

  • Token mappers - Map user attributes, roles, etc. how you want into tokens and statements.

  • Not-before revocation policies per realm, application and user.

  • CORS support - Client adapters have built-in support for CORS.

  • Service Provider Interfaces (SPI) - A number of SPIs to enable customizing various aspects of the server. Authentication flows, user federation providers, protocol mappers and many more.

  • Supports any platform/language that has an OpenID Connect Relying Party library or SAML 2.0 Service Provider library.

Basic Keycloak operations

Keycloak is a separate server that you manage on your network. Applications are configured to point to and be secured by this server. Keycloak uses open protocol standards like OpenID Connect or SAML 2.0 to secure your applications. Browser applications redirect a user’s browser from the application to the Keycloak authentication server where they enter their credentials. This redirection is important because users are completely isolated from applications and applications never see a user’s credentials. Applications instead are given an identity token or assertion that is cryptographically signed. These tokens can have identity information like username, address, email, and other profile data. They can also hold permission data so that applications can make authorization decisions. These tokens can also be used to make secure invocations on REST-based services.

Core concepts and terms

Consider these core concepts and terms before attempting to use Keycloak to secure your web applications and REST services.

users

Users are entities that are able to log into your system. They can have attributes associated with themselves like email, username, address, phone number, and birthday. They can be assigned group membership and have specific roles assigned to them.

authentication

The process of identifying and validating a user.

authorization

The process of granting access to a user.

credentials

Credentials are pieces of data that Keycloak uses to verify the identity of a user. Some examples are passwords, one-time-passwords, digital certificates, or even fingerprints.

roles

Roles identify a type or category of user. Admin, user, manager, and employee are all typical roles that may exist in an organization. Applications often assign access and permissions to specific roles rather than individual users as dealing with users can be too fine-grained and hard to manage.

user role mapping

A user role mapping defines a mapping between a role and a user. A user can be associated with zero or more roles. This role mapping information can be encapsulated into tokens and assertions so that applications can decide access permissions on various resources they manage.

composite roles

A composite role is a role that can be associated with other roles. For example a superuser composite role could be associated with the sales-admin and order-entry-admin roles. If a user is mapped to the superuser role they also inherit the sales-admin and order-entry-admin roles.

groups

Groups manage groups of users. Attributes can be defined for a group. You can map roles to a group as well. Users that become members of a group inherit the attributes and role mappings that group defines.

realms

A realm manages a set of users, credentials, roles, and groups. A user belongs to and logs into a realm. Realms are isolated from one another and can only manage and authenticate the users that they control.

clients

Clients are entities that can request Keycloak to authenticate a user. Most often, clients are applications and services that want to use Keycloak to secure themselves and provide a single sign-on solution. Clients can also be entities that just want to request identity information or an access token so that they can securely invoke other services on the network that are secured by Keycloak.

client adapters

Client adapters are plugins that you install into your application environment to be able to communicate and be secured by Keycloak. Keycloak has a number of adapters for different platforms that you can download. There are also third-party adapters you can get for environments that we don’t cover.

consent

Consent is when you as an admin want a user to give permission to a client before that client can participate in the authentication process. After a user provides their credentials, Keycloak will pop up a screen identifying the client requesting a login and what identity information is requested of the user. User can decide whether or not to grant the request.

client scopes

When a client is registered, you must define protocol mappers and role scope mappings for that client. It is often useful to store a client scope, to make creating new clients easier by sharing some common settings. This is also useful for requesting some claims or roles to be conditionally based on the value of scope parameter. Keycloak provides the concept of a client scope for this.

client role

Clients can define roles that are specific to them. This is basically a role namespace dedicated to the client.

identity token

A token that provides identity information about the user. Part of the OpenID Connect specification.

access token

A token that can be provided as part of an HTTP request that grants access to the service being invoked on. This is part of the OpenID Connect and OAuth 2.0 specification.

assertion

Information about a user. This usually pertains to an XML blob that is included in a SAML authentication response that provided identity metadata about an authenticated user.

service account

Each client has a built-in service account which allows it to obtain an access token.

direct grant

A way for a client to obtain an access token on behalf of a user via a REST invocation.

protocol mappers

For each client you can tailor what claims and assertions are stored in the OIDC token or SAML assertion. You do this per client by creating and configuring protocol mappers.

session

When a user logs in, a session is created to manage the login session. A session contains information like when the user logged in and what applications have participated within single-sign on during that session. Both admins and users can view session information.

user federation provider

Keycloak can store and manage users. Often, companies already have LDAP or Active Directory services that store user and credential information. You can point Keycloak to validate credentials from those external stores and pull in identity information.

identity provider

An identity provider (IDP) is a service that can authenticate a user. Keycloak is an IDP.

identity provider federation

Keycloak can be configured to delegate authentication to one or more IDPs. Social login via Facebook or Google is an example of identity provider federation. You can also hook Keycloak to delegate authentication to any other OpenID Connect or SAML 2.0 IDP.

identity provider mappers

When doing IDP federation you can map incoming tokens and assertions to user and session attributes. This helps you propagate identity information from the external IDP to your client requesting authentication.

required actions

Required actions are actions a user must perform during the authentication process. A user will not be able to complete the authentication process until these actions are complete. For example, an admin may schedule users to reset their passwords every month. An update password required action would be set for all these users.

authentication flows

Authentication flows are work flows a user must perform when interacting with certain aspects of the system. A login flow can define what credential types are required. A registration flow defines what profile information a user must enter and whether something like reCAPTCHA must be used to filter out bots. Credential reset flow defines what actions a user must do before they can reset their password.

events

Events are audit streams that admins can view and hook into.

themes

Every screen provided by Keycloak is backed by a theme. Themes define HTML templates and stylesheets which you can override as needed.

Creating the first administrator

After installing Keycloak, you need an administrator account that can act as a super admin with full permissions to manage Keycloak. With this account, you can log in to the Keycloak Admin Console where you create realms and users and register applications that are secured by Keycloak.

Creating the account on the local host

If your server is accessible from localhost, perform these steps.

Procedure
  1. In a web browser, go to the http://localhost:8080 URL.

  2. Supply a username and password that you can recall.

    Welcome page

    Welcome page

Creating the account remotely

If you cannot access the server from a localhost address or just want to start Keycloak from the command line, use the KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD environment variables to create an initial admin account.

For example:

export KC_BOOTSTRAP_ADMIN_USERNAME=<username>
export KC_BOOTSTRAP_ADMIN_PASSWORD=<password>

bin/kc.[sh|bat] start

Configuring realms

Once you have an administrative account for the Admin Console, you can configure realms. A realm is a space where you manage objects, including users, applications, roles, and groups. A user belongs to and logs into a realm. One Keycloak deployment can define, store, and manage as many realms as there is space for in the database.

Using the Admin Console

You configure realms and perform most administrative tasks in the Keycloak Admin Console.

Prerequisites
Procedure
  1. Go to the URL for the Admin Console.

    For example, for localhost, use this URL: http://localhost:8080/admin/

    Login page

    Login page

  2. Enter the username and password you created on the Welcome Page or through environment variables as per Creating the initial admin user guide. This action displays the Admin Console.

    Admin Console

    Admin Console

  3. Note the menus and other options that you can use:

    • Click the menu labeled Master to pick a realm you want to manage or to create a new one.

    • Click the top right list to view your account or log out.

    • Hover over a question mark ? icon to show a tooltip text that describes that field. The image above shows the tooltip in action.

    • Click a question mark ? icon to show a tooltip text that describes that field. The image above shows the tooltip in action.

Export files from the Admin Console are not suitable for backups or data transfer between servers. Only boot-time exports are suitable for backups or data transfer between servers.

The master realm

In the Admin Console, two types of realms exist:

  • Master realm - This realm was created for you when you first started Keycloak. It contains the administrator account you created at the first login. Use the master realm only to create and manage the realms in your system.

  • Other realms - These realms are created by the administrator in the master realm. In these realms, administrators manage the users in your organization and the applications they need. The applications are owned by the users.

Realms and applications

Realms and applications

Realms are isolated from one another and can only manage and authenticate the users that they control. Following this security model helps prevent accidental changes and follows the tradition of permitting user accounts access to only those privileges and powers necessary for the successful completion of their current task.

Additional resources
  • See Dedicated Realm Admin Consoles if you want to disable the master realm and define administrator accounts within any new realm you create. Each realm has its own dedicated Admin Console that you can log into with local accounts.

Creating a realm

You create a realm to provide a management space where you can create users and give them permissions to use applications. At first login, you are typically in the master realm, the top-level realm from which you create other realms.

When deciding what realms you need, consider the kind of isolation you want to have for your users and applications. For example, you might create a realm for the employees of your company and a separate realm for your customers. Your employees would log into the employee realm and only be able to visit internal company applications. Customers would log into the customer realm and only be able to interact with customer-facing apps.

Procedure
  1. Click Keycloak next to master realm, then click Create Realm.

    Add realm menu

    Add realm menu

  2. Enter a name for the realm.

  3. Click Create.

    Create realm

    Create realm

    The current realm is now set to the realm you just created. You can switch between realms by clicking the realm name in the menu.

Configuring SSL for a realm

Each realm has an associated SSL Mode, which defines the SSL/HTTPS requirements for interacting with the realm. Browsers and applications that interact with the realm honor the SSL/HTTPS requirements defined by the SSL Mode or they cannot interact with the server.

Procedure
  1. Click Realm settings in the menu.

  2. Click the General tab.

    General tab

    General Tab

  3. Set Require SSL to one of the following SSL modes:

    • External requests Users can interact with Keycloak without SSL so long as they stick to private IPv4 addresses such as localhost, 127.0.0.1, 10.x.x.x, 192.168.x.x, 172.16.x.x or IPv6 link-local and unique-local addresses. If you try to access Keycloak without SSL from a non-private IP address, you will get an error.

    • None Keycloak does not require SSL. This choice applies only in development when you are experimenting and do not plan to support this deployment.

    • All requests Keycloak requires SSL for all IP addresses.

Configuring email for a realm

Keycloak sends emails to users to verify their email addresses, when they forget their passwords, or when an administrator needs to receive notifications about a server event. To enable Keycloak to send emails, you provide Keycloak with your SMTP server settings.

Procedure
  1. Click Realm settings in the menu.

  2. Click the Email tab.

    Email tab

    Email Tab

  3. Fill in the fields and toggle the switches as needed.

Template
From

From denotes the address used for the From SMTP-Header for the emails sent.

From display name

From display name allows to configure a user-friendly email address aliases (optional). If not set the plain From email address will be displayed in email clients.

Reply to

Reply to denotes the address used for the Reply-To SMTP-Header for the mails sent (optional). If not set the plain From email address will be used.

Reply to display name

Reply to display name allows to configure a user-friendly email address aliases (optional). If not set the plain Reply To email address will be displayed.

Envelope from

Envelope from denotes the Bounce Address used for the Return-Path SMTP-Header for the mails sent (optional).

Connection & Authentication
Host

Host denotes the SMTP server hostname used for sending emails.

Port

Port denotes the SMTP server port.

Encryption

Tick one of these checkboxes to support sending emails for recovering usernames and passwords, especially if the SMTP server is on an external network. You will most likely need to change the Port to 465, the default port for SSL/TLS.

Authentication

Set this switch to ON if your SMTP server requires authentication. When prompted, supply the Username and Password. The value of the Password field can refer a value from an external vault.

Configuring themes

For a given realm, you can change the appearance of any UI in Keycloak by using themes.

Procedure
  1. Click Realm setting in the menu.

  2. Click the Themes tab.

    Themes tab

    Themes tab

  3. Pick the theme you want for each UI category and click Save.

    Login theme

    Username password entry, OTP entry, new user registration, and other similar screens related to login.

    Account theme

    The console used by the user to manage his or her account.

    Admin console theme

    The skin of the Keycloak Admin Console.

    Email theme

    Whenever Keycloak has to send out an email, it uses templates defined in this theme to craft the email.

Additional resources

Enabling internationalization

Every UI screen is internationalized in Keycloak. The default language is English, but you can choose which locales you want to support and what the default locale will be.

Procedure
  1. Click Realm Settings in the menu.

  2. Click the Localization tab.

  3. Enable Internationalization.

  4. Select the languages you will support.

    Localization tab

    Localization tab

    The next time a user logs in, that user can choose a language on the login page to use for the login screens, Account Console, and Admin Console.

Additional resources
  • The Server Developer Guide explains how you can offer additional languages. All internationalized texts which are provided by the theme can be overwritten by realm-specific texts on the Localization tab.

User locale selection

A locale selector provider suggests the best locale on the information available. However, it is often unknown who the user is. For this reason, the previously authenticated user’s locale is remembered in a persisted cookie.

The logic for selecting the locale uses the first of the following that is available:

  • User selected - when the user has selected a locale using the drop-down locale selector

  • User profile - when there is an authenticated user and the user has a preferred locale set

  • Client selected - passed by the client using for example ui_locales parameter

  • Cookie - last locale selected on the browser

  • Accepted language - locale from Accept-Language header

  • Realm default

  • If none of the above, fall back to English

When a user is authenticated an action is triggered to update the locale in the persisted cookie mentioned earlier. If the user has actively switched the locale through the locale selector on the login pages the users locale is also updated at this point.

If you want to change the logic for selecting the locale, you have an option to create custom LocaleSelectorProvider. For details, please refer to the Server Developer Guide.

Controlling login options

Keycloak includes several built-in login page features.

Enabling forgot password

If you enable Forgot password, users can reset their login credentials if they forget their passwords or lose their OTP generator.

Procedure
  1. Click Realm settings in the menu.

  2. Click the Login tab.

    Login tab

    Login Tab

  3. Toggle Forgot password to ON.

    A Forgot Password? link displays in your login pages.

    Forgot password link

    Forgot Password Link

  4. Specify Host and From in the Email tab in order for Keycloak to be able to send the reset email.

  5. Click this link to bring users where they can enter their username or email address and receive an email with a link to reset their credentials.

    Forgot password page

    Forgot Password Page

The text sent in the email is configurable. See Server Developer Guide for more information.

When users click the email link, Keycloak asks them to update their password, and if they have set up an OTP generator, Keycloak asks them to reconfigure the OTP generator. Depending on security requirements of your organization, you may not want users to reset their OTP generator through email.

To change this behavior, perform these steps:

Procedure
  1. Click Authentication in the menu.

  2. Click the Flows tab.

  3. Select the Reset Credentials flow.

    Reset credentials flow

    Reset Credentials Flow

    If you do not want to reset the OTP, set the Reset - Conditional OTP sub-flow requirement to Disabled.

  4. Click Authentication in the menu.

  5. Click the Required actions tab.

  6. Ensure Update Password is enabled.

    Required Actions

    Required Actions

Enabling Remember Me

A logged-in user closing their browser destroys their session, and that user must log in again. You can set Keycloak to keep the user’s login session open if that user clicks the Remember Me checkbox upon login. This action turns the login cookie from a session-only cookie to a persistence cookie.

Procedure
  1. Click Realm settings in the menu.

  2. Click the Login tab.

  3. Toggle the Remember Me switch to On.

    Login tab

    Login Tab Remember Me

    When you save this setting, a remember me checkbox displays on the realm’s login page.

    Remember Me

    Remember Me

ACR to Level of Authentication (LoA) Mapping

In the general settings of a realm, you can define which Authentication Context Class Reference (ACR) value is mapped to which Level of Authentication (LoA). The ACR can be any value, whereas the LoA must be numeric. The acr claim can be requested in the claims or acr_values parameter sent in the OIDC request and it is also included in the access token and ID token. The mapped number is used in the authentication flow conditions.

Mapping can be also specified at the client level in case that particular client needs to use different values than realm. However, a best practice is to stick to realm mappings.

ACR to LoA mapping

Update Email Workflow (UpdateEmail)

With this workflow, users will have to use an UPDATE_EMAIL action to change their own email address.

The action is associated with a single email input form. If the realm has email verification disabled, this action will allow to update the email without verification. If the realm has email verification enabled, the action will send an email update action token to the new email address without changing the account email. Only the action token triggering will complete the email update.

Applications are able to send their users to the email update form by leveraging UPDATE_EMAIL as an AIA (Application Initiated Action).

UpdateEmail is Preview and is not fully supported. This feature is disabled by default.

To enable start the server with --features=preview or --features=update-email

If you enable this feature and you are migrating from a previous version, enable the Update Email required action in your realms. Otherwise, users cannot update their email addresses.

Configuring realm keys

The authentication protocols that are used by Keycloak require cryptographic signatures and sometimes encryption. Keycloak uses asymmetric key pairs, a private and public key, to accomplish this.

Keycloak has a single active key pair at a time, but can have several passive keys as well. The active key pair is used to create new signatures, while the passive key pair can be used to verify previous signatures. This makes it possible to regularly rotate the keys without any downtime or interruption to users.

When a realm is created, a key pair and a self-signed certificate is automatically generated.

Procedure
  1. Click Realm settings in the menu.

  2. Click Keys.

  3. Select Passive keys from the filter dropdown to view passive keys.

  4. Select Disabled keys from the filter dropdown to view disabled keys.

A key pair can have the status Active, but still not be selected as the currently active key pair for the realm. The selected active pair which is used for signatures is selected based on the first key provider sorted by priority that is able to provide an active key pair.

Rotating keys

We recommend that you regularly rotate keys. Start by creating new keys with a higher priority than the existing active keys. You can instead create new keys with the same priority and making the previous keys passive.

Once new keys are available, all new tokens and cookies will be signed with the new keys. When a user authenticates to an application, the SSO cookie is updated with the new signature. When OpenID Connect tokens are refreshed new tokens are signed with the new keys. Eventually, all cookies and tokens use the new keys and after a while the old keys can be removed.

The frequency of deleting old keys is a tradeoff between security and making sure all cookies and tokens are updated. Consider creating new keys every three to six months and deleting old keys one to two months after you create the new keys. If a user was inactive in the period between the new keys being added and the old keys being removed, that user will have to re-authenticate.

Rotating keys also applies to offline tokens. To make sure they are updated, the applications need to refresh the tokens before the old keys are removed.

Adding a generated key pair

Use this procedure to generate a key pair including a self-signed certificate.

Procedure
  1. Select the realm in the Admin Console.

  2. Click Realm settings in the menu.

  3. Click the Keys tab.

  4. Click the Providers tab.

  5. Click Add provider and select rsa-generated.

  6. Enter a number in the Priority field. This number determines if the new key pair becomes the active key pair. The highest number makes the key pair active.

  7. Select a value for AES Key size.

  8. Click Save.

Changing the priority for a provider will not cause the keys to be re-generated, but if you want to change the keysize you can edit the provider and new keys will be generated.

Rotating keys by extracting a certificate

You can rotate keys by extracting a certificate from an RSA generated key pair and using that certificate in a new keystore.

Prerequisites
  • A generated key pair

Procedure
  1. Select the realm in the Admin Console.

  2. Click Realm Settings.

  3. Click the Keys tab.

    A list of Active keys appears.

  4. On a row with an RSA key, click Certificate under Public Keys.

    The certificate appears in text form.

  5. Save the certificate to a file and enclose it in these lines.

    ----Begin Certificate----
    <Output>
    ----End Certificate----
  6. Use the keytool command to convert the key file to PEM Format.

  7. Remove the current RSA public key certificate from the keystore.

    keytool -delete -keystore <keystore>.jks -storepass <password> -alias <key>
  8. Import the new certificate into the keystore

    keytool -importcert -file domain.crt -keystore <keystore>.jks -storepass <password>  -alias <key>
  9. Rebuild the application.

    mvn clean install wildfly:deploy

Adding an existing key pair and certificate

To add a key pair and certificate obtained elsewhere select Providers and choose rsa from the dropdown. You can change the priority to make sure the new key pair becomes the active key pair.

Prerequisites
  • A private key file. The file must be PEM formatted.

Procedure
  1. Select the realm in the Admin Console.

  2. Click Realm settings.

  3. Click the Keys tab.

  4. Click the Providers tab.

  5. Click Add provider and select rsa.

  6. Enter a number in the Priority field. This number determines if the new key pair becomes the active key pair.

  7. Click Browse…​ beside Private RSA Key to upload the private key file.

  8. If you have a signed certificate for your private key, click Browse…​ beside X509 Certificate to upload the certificate file. Keycloak automatically generates a self-signed certificate if you do not upload a certificate.

  9. Click Save.

Loading keys from a Java Keystore

To add a key pair and certificate stored in a Java Keystore file on the host select Providers and choose java-keystore from the dropdown. You can change the priority to make sure the new key pair becomes the active key pair.

For the associated certificate chain to be loaded it must be imported to the Java Keystore file with the same Key Alias used to load the key pair.

Procedure
  1. Select the realm in the Admin Console.

  2. Click Realm settings in the menu.

  3. Click the Keys tab.

  4. Click the Providers tab.

  5. Click Add provider and select java-keystore.

  6. Enter a number in the Priority field. This number determines if the new key pair becomes the active key pair.

  7. Enter the desired Algorithm. Note that the algorithm should match the key type (for example RS256 requires a RSA private key, ES256 a EC private key or AES an AES secret key).

  8. Enter a value for Keystore. Path to the keystore file.

  9. Enter the Keystore Password. The option can refer a value from an external vault.

  10. Enter a value for Keystore Type (JKS, PKCS12 or BCFKS).

  11. Enter a value for the Key Alias to load from the keystore.

  12. Enter the Key Password. The option can refer a value from an external vault.

  13. Enter a value for Key Use (sig for signing or enc for encryption). Note that the use should match the algorithm type (for example RS256 is sig but RSA-OAEP is enc)

  14. Click Save.

Not all the keystore types support all types of keys. For example, JKS in all modes and PKCS12 in fips mode (BCFIPS provider) cannot store secret key entries.

Making keys passive

Procedure
  1. Select the realm in the Admin Console.

  2. Click Realm settings in the menu.

  3. Click the Keys tab.

  4. Click the Providers tab.

  5. Click the provider of the key you want to make passive.

  6. Toggle Active to Off.

  7. Click Save.

Disabling keys

Procedure
  1. Select the realm in the Admin Console.

  2. Click Realm settings in the menu.

  3. Click the Keys tab.

  4. Click the Providers tab.

  5. Click the provider of the key you want to make passive.

  6. Toggle Enabled to Off.

  7. Click Save.

Compromised keys

Keycloak has the signing keys stored just locally and they are never shared with the client applications, users or other entities. However, if you think that your realm signing key was compromised, you should first generate new key pair as described above and then immediately remove the compromised key pair.

Alternatively, you can delete the provider from the Providers table.

Procedure
  1. Click Clients in the menu.

  2. Click security-admin-console.

  3. Scroll down to the Access settings section.

  4. Fill in the Admin URL field.

  5. Click the Advanced tab.

  6. Click Set to now in the Revocation section.

  7. Click Push.

Pushing the not-before policy ensures that client applications do not accept the existing tokens signed by the compromised key. The client application is forced to download new key pairs from Keycloak also so the tokens signed by the compromised key will be invalid.

REST and confidential clients must set Admin URL so Keycloak can send clients the pushed not-before policy request.

Using external storage

Organizations can have databases containing information, passwords, and other credentials. Typically, you cannot migrate existing data storage to a Keycloak deployment so Keycloak can federate existing external user databases. Keycloak supports LDAP and Active Directory, but you can also code extensions for any custom user database by using the Keycloak User Storage SPI.

When a user attempts to log in, Keycloak examines that user’s storage to find that user. If Keycloak does not find the user, Keycloak iterates over each User Storage provider for the realm until it finds a match. Data from the external data storage then maps into a standard user model the Keycloak runtime consumes. This user model then maps to OIDC token claims and SAML assertion attributes.

External user databases rarely have the data necessary to support all the features of Keycloak, so the User Storage Provider can opt to store items locally in Keycloak user data storage. Providers can import users locally and sync periodically with external data storage. This approach depends on the capabilities of the provider and the configuration of the provider. For example, your external user data storage may not support OTP. The OTP can be handled and stored by Keycloak, depending on the provider.

Adding a provider

To add a storage provider, perform the following procedure:

Procedure
  1. Click User Federation in the menu.

    User federation

    User federation

  2. Select the provider type card from the listed cards.

    Keycloak brings you to that provider’s configuration page.

Dealing with provider failures

If a User Storage Provider fails, you may not be able to log in and view users in the Admin Console. Keycloak does not detect failures when using a Storage Provider to look up a user, so it cancels the invocation. If you have a Storage Provider with a high priority that fails during user lookup, the login or user query fails with an exception and will not fail over to the next configured provider.

Keycloak searches the local Keycloak user database first to resolve users before any LDAP or custom User Storage Provider. Consider creating an administrator account stored in the local Keycloak user database in case of problems connecting to your LDAP and back ends.

Each LDAP and custom User Storage Provider has an enable toggle on its Admin Console page. Disabling the User Storage Provider skips the provider when performing queries, so you can view and log in with user accounts in a different provider with lower priority. If your provider uses an import strategy and is disabled, imported users are still available for lookup in read-only mode.

When a Storage Provider lookup fails, Keycloak does not fail over because user databases often have duplicate usernames or duplicate emails between them. Duplicate usernames and emails can cause problems because the user loads from one external data store when the admin expects them to load from another data store.

Lightweight Directory Access Protocol (LDAP) and Active Directory

Keycloak includes an LDAP/AD provider. You can federate multiple different LDAP servers in one Keycloak realm and map LDAP user attributes into the Keycloak common user model.

By default, Keycloak maps the username, email, first name, and last name of the user account, but you can also configure additional mappings. Keycloak’s LDAP/AD provider supports password validation using LDAP/AD protocols and storage, edit, and synchronization modes.

Configuring federated LDAP storage

Procedure
  1. Click User Federation in the menu.

    User federation

    User federation

  2. Click Add LDAP providers.

    Keycloak brings you to the LDAP configuration page.

Storage mode

Keycloak imports users from LDAP into the local Keycloak user database. This copy of the user database synchronizes on-demand or through a periodic background task. An exception exists for synchronizing passwords. Keycloak never imports passwords. Password validation always occurs on the LDAP server.

The advantage of synchronization is that all Keycloak features work efficiently because any required extra per-user data is stored locally. The disadvantage is that each time Keycloak queries a specific user for the first time, Keycloak performs a corresponding database insert.

You can synchronize the import with your LDAP server. Import synchronization is unnecessary when LDAP mappers always read particular attributes from the LDAP rather than the database.

You can use LDAP with Keycloak without importing users into the Keycloak user database. The LDAP server backs up the common user model that the Keycloak runtime uses. If LDAP does not support data that a Keycloak feature requires, that feature will not work. The advantage of this approach is that you do not have the resource usage of importing and synchronizing copies of LDAP users into the Keycloak user database.

The Import Users switch on the LDAP configuration page controls this storage mode. To import users, toggle this switch to ON.

If you disable Import Users, you cannot save user profile attributes into the Keycloak database. Also, you cannot save metadata except for user profile metadata mapped to the LDAP. This metadata can include role mappings, group mappings, and other metadata based on the LDAP mappers' configuration.

When you attempt to change the non-LDAP mapped user data, the user update is not possible. For example, you cannot disable the LDAP mapped user unless the user’s enabled flag maps to an LDAP attribute.

Edit mode

Users and admins can modify user metadata, users through the Account Console, and administrators through the Admin Console. The Edit Mode configuration on the LDAP configuration page defines the user’s LDAP update privileges.

READONLY

You cannot change the username, email, first name, last name, and other mapped attributes. Keycloak shows an error anytime a user attempts to update these fields. Password updates are not supported.

WRITABLE

You can change the username, email, first name, last name, and other mapped attributes and passwords and synchronize them automatically with the LDAP store.

UNSYNCED

Keycloak stores changes to the username, email, first name, last name, and passwords in Keycloak local storage, so the administrator must synchronize this data back to LDAP. In this mode, Keycloak deployments can update user metadata on read-only LDAP servers. This option also applies when importing users from LDAP into the local Keycloak user database.

When Keycloak creates the LDAP provider, Keycloak also creates a set of initial LDAP mappers. Keycloak configures these mappers based on a combination of the Vendor, Edit Mode, and Import Users switches. For example, when edit mode is UNSYNCED, Keycloak configures the mappers to read a particular user attribute from the database and not from the LDAP server. However, if you later change the edit mode, the mapper’s configuration does not change because it is impossible to detect if the configuration changes changed in UNSYNCED mode. Decide the Edit Mode when creating the LDAP provider. This note applies to Import Users switch also.

Other configuration options

Console Display Name

The name of the provider to display in the admin console.

Priority

The priority of the provider when looking up users or adding a user.

Sync Registrations

Toggle this switch to ON if you want new users created by Keycloak added to LDAP.

Allow Kerberos authentication

Enable Kerberos/SPNEGO authentication in the realm with user data provisioned from LDAP. For more information, see the Kerberos section.

Other options

Hover the mouse pointer over the tooltips in the Admin Console to see more details about these options.

Connecting to LDAP over SSL

When you configure a secure connection URL to your LDAP store (for example,ldaps://myhost.com:636), Keycloak uses SSL to communicate with the LDAP server. Configure a truststore on the Keycloak server side so that Keycloak can trust the SSL connection to LDAP - see Configuring a Truststore guide.

The Use Truststore SPI configuration property is deprecated. It should normally be left as Always.

Synchronizing LDAP users to Keycloak

If you set the Import Users option, the LDAP Provider handles importing LDAP users into the Keycloak local database. The first time a user logs in or is returned as part of a user query (e.g. using the search field in the admin console), the LDAP provider imports the LDAP user into the Keycloak database. During authentication, the LDAP password is validated.

If you want to sync all LDAP users into the Keycloak database, configure and enable the Sync Settings on the LDAP provider configuration page.

Two types of synchronization exist:

Periodic Full sync

This type synchronizes all LDAP users into the Keycloak database. The LDAP users already in Keycloak, but different in LDAP, directly update in the Keycloak database.

Periodic Changed users sync

When synchronizing, Keycloak creates or updates users created or updated after the last sync only.

The best way to synchronize is to click Synchronize all users when you first create the LDAP provider, then set up periodic synchronization of changed users.

LDAP mappers

LDAP mappers are listeners triggered by the LDAP Provider. They provide another extension point to LDAP integration. LDAP mappers are triggered when:

  • Users log in by using LDAP.

  • Users initially register.

  • The Admin Console queries a user.

When you create an LDAP Federation provider, Keycloak automatically provides a set of mappers for this provider. This set is changeable by users, who can also develop mappers or update/delete existing ones.

User Attribute Mapper

This mapper specifies which LDAP attribute maps to the attribute of the Keycloak user. For example, you can configure the mail LDAP attribute to the email attribute in the Keycloak database. For this mapper implementation, a one-to-one mapping always exists.

FullName Mapper

This mapper specifies the full name of the user. Keycloak saves the name in an LDAP attribute (usually cn) and maps the name to the firstName and lastname attributes in the Keycloak database. Having cn to contain the full name of the user is common for LDAP deployments.

When you register new users in Keycloak and Sync Registrations is ON for the LDAP provider, the fullName mapper permits falling back to the username. This fallback is useful when using Microsoft Active Directory (MSAD). The common setup for MSAD is to configure the cn LDAP attribute as fullName and, at the same time, use the cn LDAP attribute as the RDN LDAP Attribute in the LDAP provider configuration. With this setup, Keycloak falls back to the username. For example, if you create Keycloak user "john123" and leave firstName and lastName empty, then the fullname mapper saves "john123" as the value of the cn in LDAP. When you enter "John Doe" for firstName and lastName later, the fullname mapper updates LDAP cn to the "John Doe" value as falling back to the username is unnecessary.

Hardcoded Attribute Mapper

This mapper adds a hardcoded attribute value to each Keycloak user linked with LDAP. This mapper can also force values for the enabled or emailVerified user properties.

Role Mapper

This mapper configures role mappings from LDAP into Keycloak role mappings. A single role mapper can map LDAP roles (usually groups from a particular branch of the LDAP tree) into roles corresponding to a specified client’s realm roles or client roles. You can configure more Role mappers for the same LDAP provider. For example, you can specify that role mappings from groups under ou=main,dc=example,dc=org map to realm role mappings, and role mappings from groups under ou=finance,dc=example,dc=org map to client role mappings of client finance.

Hardcoded Role Mapper

This mapper grants a specified Keycloak role to each Keycloak user from the LDAP provider.

Group Mapper

This mapper maps LDAP groups from a branch of an LDAP tree into groups within Keycloak. This mapper also propagates user-group mappings from LDAP into user-group mappings in Keycloak.

MSAD User Account Mapper

This mapper is specific to Microsoft Active Directory (MSAD). It can integrate the MSAD user account state into the Keycloak account state, such as enabled account or expired password. This mapper uses the userAccountControl, and pwdLastSet LDAP attributes, specific to MSAD and are not the LDAP standard. For example, if the value of pwdLastSet is 0, the Keycloak user must update their password. The result is an UPDATE_PASSWORD required action added to the user. If the value of userAccountControl is 514 (disabled account), the Keycloak user is disabled.

Certificate Mapper

This mapper maps X.509 certificates. Keycloak uses it in conjunction with X.509 authentication and Full certificate in PEM format as an identity source. This mapper behaves similarly to the User Attribute Mapper, but Keycloak can filter for an LDAP attribute storing a PEM or DER format certificate. Enable Always Read Value From LDAP with this mapper.

User Attribute mappers that map basic Keycloak user attributes, such as username, firstname, lastname, and email, to corresponding LDAP attributes. You can extend these and provide your own additional attribute mappings. The Admin Console provides tooltips to help with configuring the corresponding mappers.

Password hashing

When Keycloak updates a password, Keycloak sends the password in plain-text format. This action is different from updating the password in the built-in Keycloak database, where Keycloak hashes and salts the password before sending it to the database. For LDAP, Keycloak relies on the LDAP server to hash and salt the password.

By default, LDAP servers such as MSAD, RHDS, or FreeIPA hash and salt passwords. Other LDAP servers such as OpenLDAP or ApacheDS store the passwords in plain-text unless you use the LDAPv3 Password Modify Extended Operation as described in RFC3062. Enable the LDAPv3 Password Modify Extended Operation in the LDAP configuration page. See the documentation of your LDAP server for more details.

Always verify that user passwords are properly hashed and not stored as plaintext by inspecting a changed directory entry using ldapsearch and base64 decode the userPassword attribute value.

Configuring the connection pool

For more efficiency when managing LDAP connections and to improve performance when handling multiple connections, you can enable connection pooling. By doing that, when a connection is closed, it will be returned to the pool for future use therefore reducing the cost of creating new connections all the time.

The LDAP connection pool configuration is configured using the following system properties:

Name Description

com.sun.jndi.ldap.connect.pool.authentication

A list of space-separated authentication types of connections that may be pooled. Valid types are "none", "simple", and "DIGEST-MD5"

com.sun.jndi.ldap.connect.pool.initsize

The string representation of an integer that represents the number of connections per connection identity to create when initially creating a connection for the identity

com.sun.jndi.ldap.connect.pool.maxsize

The string representation of an integer that represents the maximum number of connections per connection identity that can be maintained concurrently

com.sun.jndi.ldap.connect.pool.prefsize

The string representation of an integer that represents the preferred number of connections per connection identity that should be maintained concurrently

com.sun.jndi.ldap.connect.pool.timeout

The string representation of an integer that represents the number of milliseconds that an idle connection may remain in the pool without being closed and removed from the pool

com.sun.jndi.ldap.connect.pool.protocol

A list of space-separated protocol types of connections that may be pooled. Valid types are "plain" and "ssl"

com.sun.jndi.ldap.connect.pool.debug

A string that indicates the level of debug output to produce. Valid values are "fine" (trace connection creation and removal) and "all" (all debugging information)

For more details, see the Java LDAP Connection Pooling Configuration documentation.

To set any of these properties, you can set the JAVA_OPTS_APPEND environment variable:

export JAVA_OPTS_APPEND=-Dcom.sun.jndi.ldap.connect.pool.initsize=10 -Dcom.sun.jndi.ldap.connect.pool.maxsize=50

Troubleshooting

It is useful to increase the logging level to TRACE for the category org.keycloak.storage.ldap. With this setting, many logging messages are sent to the server log in the TRACE level, including the logging for all queries to the LDAP server and the parameters, which were used to send the queries. When you are creating any LDAP question on user forum or JIRA, consider attaching the server log with enabled TRACE logging. If it is too big, the good alternative is to include just the snippet from server log with the messages, which were added to the log during the operation, which causes the issues to you.

  • When you create an LDAP provider, a message appears in the server log in the INFO level starting with:

Creating new LDAP Store for the LDAP storage provider: ...

It shows the configuration of your LDAP provider. Before you are asking the questions or reporting bugs, it will be nice to include this message to show your LDAP configuration. Eventually feel free to replace some config changes, which you do not want to include, with some placeholder values. One example is bindDn=some-placeholder . For connectionUrl, feel free to replace it as well, but it is generally useful to include at least the protocol, which was used (ldap vs ldaps)`. Similarly it can be useful to include the details for configuration of your LDAP mappers, which are displayed with the message like this at the DEBUG level:

Mapper for provider: XXX, Mapper name: YYY, Provider: ZZZ ...

Note those messages are displayed just with the enabled DEBUG logging.

  • For tracking the performance or connection pooling issues, consider setting the value of property com.sun.jndi.ldap.connect.pool.debug to all. This change adds many additional messages to the server log with the included logging for the LDAP connection pooling. As a result, you can track the issues related to connection pooling or performance. For more details, see Configuring the connection pool.

After changing the configuration of connection pooling, you may need to restart the Keycloak server to enforce re-initialization of the LDAP provider connection.

If no more messages appear for connection pooling even after server restart, it can indicate that connection pooling does not work with your LDAP server.

  • For the case of reporting LDAP issue, you may consider to attach some part of your LDAP tree with the target data, which causes issues in your environment. For example if login of some user takes lot of time, you can consider attach his LDAP entry showing count of member attributes of various "group" entries. In this case, it might be useful to add if those group entries are mapped to some Group LDAP mapper (or Role LDAP Mapper) in Keycloak and so on.

SSSD and FreeIPA Identity Management integration

Keycloak includes the System Security Services Daemon (SSSD) plugin. SSSD is part of the Fedora and Red Hat Enterprise Linux (RHEL), and it provides access to multiple identities and authentication providers. SSSD also provides benefits such as failover and offline support. For more information, see the Red Hat Enterprise Linux Identity Management documentation.

SSSD integrates with the FreeIPA identity management (IdM) server, providing authentication and access control. With this integration, Keycloak can authenticate against privileged access management (PAM) services and retrieve user data from SSSD. For more information about using Red Hat Identity Management in Linux environments, see the Red Hat Enterprise Linux Identity Management documentation.

keycloak sssd freeipa integration overview

Keycloak and SSSD communicate through read-only D-Bus interfaces. For this reason, the way to provision and update users is to use the FreeIPA/IdM administration interface. By default, the interface imports the username, email, first name, and last name.

Keycloak registers groups and roles automatically but does not synchronize them. Any changes made by the Keycloak administrator in Keycloak do not synchronize with SSSD.

FreeIPA/IdM server

The FreeIPA Container image is available at Quay.io. To set up the FreeIPA server, see the FreeIPA documentation.

Procedure
  1. Run your FreeIPA server using this command:

     docker run --name freeipa-server-container -it \
     -h server.freeipa.local -e PASSWORD=YOUR_PASSWORD \
     -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
     -v /var/lib/ipa-data:/data:Z freeipa/freeipa-server

    The parameter -h with server.freeipa.local represents the FreeIPA/IdM server hostname. Change YOUR_PASSWORD to a password of your own.

  2. After the container starts, change the /etc/hosts file to include:

    x.x.x.x     server.freeipa.local

    If you do not make this change, you must set up a DNS server.

  3. Use the following command to enroll your Linux server in the IPA domain so that the SSSD federation provider starts and runs on Keycloak:

     ipa-client-install --mkhomedir -p admin -w password
  4. Run the following command on the client to verify the installation is working:

     kinit admin
  5. Enter your password.

  6. Add users to the IPA server using this command:

    $ ipa user-add <username> --first=<first name> --last=<surname> --email=<email address> --phone=<telephoneNumber> --street=<street> --city=<city> --state=<state> --postalcode=<postal code> --password
  7. Force set the user’s password using kinit.

     kinit <username>
  8. Enter the following to restore normal IPA operation:

    kdestroy -A
    kinit admin

SSSD and D-Bus

The federation provider obtains the data from SSSD using D-BUS. It authenticates the data using PAM.

Procedure
  1. Install the sssd-dbus RPM.

    $ sudo yum install sssd-dbus
  2. Run the following provisioning script:

    $ bin/federation-sssd-setup.sh

    The script can also be used as a guide to configure SSSD and PAM for Keycloak. It makes the following changes to /etc/sssd/sssd.conf:

      [domain/your-hostname.local]
      ...
      ldap_user_extra_attrs = mail:mail, sn:sn, givenname:givenname, telephoneNumber:telephoneNumber
      ...
      [sssd]
      services = nss, sudo, pam, ssh, ifp
      ...
      [ifp]
      allowed_uids = root, yourOSUsername
      user_attributes = +mail, +telephoneNumber, +givenname, +sn

    The ifp service is added to SSSD and configured to allow the OS user to interrogate the IPA server through this interface.

    The script also creates a new PAM service /etc/pam.d/keycloak to authenticate users via SSSD:

    auth    required   pam_sss.so
    account required   pam_sss.so
  3. Run dbus-send to ensure the setup is successful.

    dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:<username> array:string:mail,givenname,sn,telephoneNumber
    
    dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserGroups string:<username>

    If the setup is successful, each command displays the user’s attributes and groups respectively. If there is a timeout or an error, the federation provider running on Keycloak cannot retrieve any data. This error usually happens because the server is not enrolled in the FreeIPA IdM server, or does not have permission to access the SSSD service.

    If you do not have permission to access the SSSD service, ensure that the user running the Keycloak server is in the /etc/sssd/sssd.conf file in the following section:

    [ifp]
    allowed_uids = root, yourOSUsername

    And the ipaapi system user is created inside the host. This user is necessary for the ifp service. Check the user is created in the system.

    grep ipaapi /etc/passwd
    ipaapi:x:992:988:IPA Framework User:/:/sbin/nologin

Enabling the SSSD federation provider

Keycloak uses DBus-Java project to communicate at a low level with D-Bus and JNA to authenticate via Operating System Pluggable Authentication Modules (PAM).

Although now Keycloak contains all the needed libraries to run the SSSD provider, JDK version 21 is needed. Therefore the SSSD provider will only be displayed when the host configuration is correct and JDK 21 is used to run Keycloak.

Configuring a federated SSSD store

After the installation, configure a federated SSSD store.

Procedure
  1. Click User Federation in the menu.

  2. If everything is setup successfully the Add Sssd providers button will be displayed in the page. Click on it.

  3. Assign a name to the new provider.

  4. Click Save.

You can now authenticate against Keycloak using a FreeIPA/IdM user and credentials.

Custom providers

Keycloak does have a Service Provider Interface (SPI) for User Storage Federation to develop custom providers. You can find documentation on developing customer providers in the Server Developer Guide.

Managing users

From the Admin Console, you have a wide range of actions you can perform to manage users.

Creating users

You create users in the realm where you intend to have applications needed by those users. Avoid creating users in the master realm, which is only intended for creating other realms.

Prerequisite
  • You are in a realm other than the master realm.

Procedure
  1. Click Users in the menu.

  2. Click Add User.

  3. Enter the details for the new user.

    Username is the only required field.
  4. Click Save. After saving the details, the Management page for the new user is displayed.

Managing user attributes

In Keycloak a user is associated with a set of attributes. These attributes are used to better describe and identify users within Keycloak as well as to pass over additional information about them to applications.

A user profile defines a well-defined schema for representing user attributes and how they are managed within a realm. By providing a consistent view over user information, it allows administrators to control the different aspects on how attributes are managed as well as to make it much easier to extend Keycloak to support additional attributes.

Although the user profile is mainly targeted for attributes that end-users can manage (e.g.: first and last names, phone, etc) it also serves for managing any other metadata you want to associate with your users.

Among other capabilities, user profile enables administrators to:

  • Define a schema for user attributes

  • Define whether an attribute is required based on contextual information (e.g.: if required only for users, or admins, or both, or depending on the scope being requested.)

  • Define specific permissions for viewing and editing user attributes, making possible to adhere to strong privacy requirements where some attributes can not be seen or be changed by third-parties (including administrators)

  • Dynamically enforce user profile compliance so that user information is always updated and in compliance with the metadata and rules associated with attributes

  • Define validation rules on a per-attribute basis by leveraging the built-in validators or writing custom ones

  • Dynamically render forms that users interact with like registration, update profile, brokering, and personal information in the account console, according to the attribute definitions and without any need to manually change themes.

  • Customize user management interfaces in the administration console so that attributes are rendered dynamically based on the user profile schema

The user profile schema or configuration uses a JSON format to represent attributes and their metadata. From the administration console, you are able to manage the configuration by clicking on the Realm Settings on the left side menu and then clicking on the User Profile tab on that page.

In the next sections, we’ll be looking at how to create your own user profile schema or configuration, and how to manage attributes.

Understanding the Default Configuration

By default, Keycloak provides a basic user profile configuration covering some of the most common user attributes:

Name Description

username

The username

email

End-User’s preferred e-mail address.

firstName

Given name(s) or first name(s) of the end-user

lastName

Surname(s) or last name(s) of the End-User

In Keycloak, both username and email attributes have a special handling as they are often used to identify, authenticate, and link user accounts. For those attributes, you are limited to changing their settings, and you can not remove them.

The behavior of both username and email attributes changes accordingly to the Login settings of your realm. For instance, changing the Email as username or the Edit username settings will override any configuration you have set in the user profile configuration.

As you will see in the following sections, you are free to change the default configuration by bringing your own attributes or changing the settings for any of the available attributes to better fit it to your needs.

Understanding the User Profile Contexts

In Keycloak, users are managed through different contexts:

  • Registration

  • Update Profile

  • Reviewing Profile when authenticating through a broker or social provider

  • Account Console

  • Administrative (e.g.: administration console and Admin REST API)

Except for the Administrative context, all other contexts are considered end-user contexts as they are related to user self-service flows.

Knowing these contexts is important to understand where your user profile configuration will take effect when managing users. Regardless of the context where the user is being managed, the same user profile configuration will be used to render UIs and validate attribute values.

As you will see in the following sections, you might restrict certain attributes to be available only from the administrative context and disable them completely for end-users. The other way around is also true if you don’t want administrators to have access to certain user attributes but only the end-user.

Understanding Managed and Unmanaged Attributes

By default, Keycloak will only recognize the attributes defined in your user profile configuration. The server ignores any other attribute not explicitly defined there.

By being strict about which user attributes can be set to your users, as well as how their values are validated, Keycloak can add another defense barrier to your realm and help you to prevent unexpected attributes and values associated to your users.

That said, user attributes can be categorized as follows:

  • Managed. These are attributes controlled by your user profile, to which you want to allow end-users and administrators to manage from any user profile context. For these attributes, you want complete control on how and when they are managed.

  • Unmanaged. These are attributes you do not explicitly define in your user profile so that they are completely ignored by Keycloak, by default.

Although unmanaged attributes are disabled by default, you can configure your realm using different policies to define how they are handled by the server. For that, click on the Realm Settings at the left side menu, click on the General tab, and then choose any of the following options from the Unmanaged Attributes setting:

  • Disabled. This is the default policy so that unmanaged attributes are disabled from all user profile contexts.

  • Enabled. This policy enables unmanaged attributes to all user profile contexts.

  • Admin can view. This policy enables unmanaged attributes only from the administrative context as read-only.

  • Admin can edit. This policy enables unmanaged attributes only from the administrative context for reads and writes.

These policies give you a fine-grained control over how the server will handle unmanaged attributes. You can choose to completely disable or only support unmanaged attributes when managing users through the administrative context.

When unmanaged attributes are enabled (even if partially) you can manage them from the administration console at the Attributes tab in the User Details UI. If the policy is set to Disabled this tab is not available.

As a security recommendation, try to adhere to the most strict policy as much as possible (e.g.: Disabled or Admin can edit) to prevent unexpected attributes (and values) set to your users when they are managing their profile through end-user contexts. Avoid setting the Enabled policy and prefer defining all the attributes that end-users can manage in your user profile configuration, under your control.

The Enabled policy is targeted for realms migrating from previous versions of Keycloak and to avoid breaking behavior when using custom themes and extending the server with their own custom user attributes.

As you will see in the following sections, you can also restrict the audience for an attribute by choosing if it should be visible or writable by users and/or administrators.

For unmanaged attributes, the maximum length is 2048 characters. To specify a different minimum or maximum length, change the unmanaged attribute to a managed attribute and add a length validator.

Keycloak caches user-related objects in its internal caches. The longer the attributes are, the more memory the cache consumes. Therefore, limiting the size of the length attributes is recommended. Consider storing large objects outside Keycloak and reference them by ID or URL.

Managing the User Profile

The user profile configuration is managed on a per-realm basis. For that, click on the Realm Settings link on the left side menu and then click on the User Profile tab.

User Profile Tab

user profile tab

In the Attributes sub-tab you have a list of all managed attributes.

In the Attribute Groups sub-tab you can manage attribute groups. An attribute group allows you to correlate attributes so that they are displayed together when rendering user facing forms.

In the JSON Editor sub-tab you can view and edit the JSON configuration. You can use this tab to grab your current configuration or manage it manually. Any change you make to this tab is reflected in the other tabs, and vice-versa.

In the next section, you are going to learn how to manage attributes.

Managing Attributes

At the Attributes sub-tab you can create, edit, and delete the managed attributes.

To define a new attribute and associate it with the user profile, click on the Create attribute button at the top of the attribute listing.

Attribute Configuration

user profile create attribute

When configuring the attribute you can define the following settings:

Name

The name of the attribute, used to uniquely identify an attribute.

Display name

A user-friendly name for the attribute, mainly used when rendering user-facing forms. It also supports Using Internationalized Messages

Multivalued

If enabled, the attribute supports multiple values and UIs are rendered accordingly to allow setting many values. When enabling this setting, make sure to add a validator to set a hard limit to the number of values.

Attribute Group

The attribute group to which the attribute belongs to, if any.

Enabled when

Enables or disables an attribute. If set to Always, the attribute is available from any user profile context. If set to Scopes are requested, the attribute is only available when the client acting on behalf of the user is requesting a set of one or more scopes. You can use this option to dynamically enforce certain attributes depending on the client scopes being requested. For the account and administration consoles, scopes are not evaluated and the attribute is always enabled. That is because filtering attributes by scopes only works when running authentication flows.

Required

Set the conditions to mark an attribute as required. If disabled, the attribute is optional. If enabled, you can set the Required for setting to mark the attribute as required depending on the user profile context so that the attribute is required for end-users (via end-user contexts) or to administrators (via administrative context), or both. You can also set the Required when setting to mark the attribute as required only when a set of one or more client scopes are requested. If set to Always, the attribute is required from any user profile context. If set to Scopes are requested, the attribute is only required when the client acting on behalf of the user is requesting a set of one or more scopes. For the account and administration consoles, scopes are not evaluated and the attribute is not required. That is because filtering attributes by scopes only works when running authentication flows.

Permission

In this section, you can define read and write permissions when the attribute is being managed from an end-user or administrative context. The Who can edit setting mark an attribute as writable by User and/or Admin, from an end-user and administrative context, respectively. The Who can view setting mark an attribute as read-only by User and/or Admin from an end-user and administrative context, respectively.

Validation

In this section, you can define the validations that will be performed when managing the attribute value. Keycloak provides a set of built-in validators you can choose from with the possibility to add your own. For more details, look at the Validating Attributes section.

Annotation

In this section, you can associate annotations to the attribute. Annotations are mainly useful to pass over additional metadata to frontends for rendering purposes. For more details, look at the Defining UI Annotations section.

When you create an attribute, the attribute is only available from administrative contexts to avoid unexpectedly exposing attributes to end-users. Effectively, the attribute won’t be accessible to end-users when they are managing their profile through the end-user contexts. You can change the Permissions settings anytime accordingly to your needs.

Validating Attributes

You can enable validation to managed attributes to make sure the attribute value conforms to specific rules. For that, you can add or remove validators from the Validations settings when managing an attribute.

Attribute Validation

user profile validation

Validation happens at any time when writing to an attribute, and they can throw errors that will be shown in UIs when the value fails a validation.

For security reasons, every attribute that is editable by users should have a validation to restrict the size of the values users enter. If no length validator has been specified, Keycloak defaults to a maximum length of 2048 characters.

Built-in Validators

Keycloak provides some built-in validators that you can choose from, and you are also able to provide your own validators by extending the Validator SPI.

The list below provides a list of all the built-in validators:

Name Description Configuration

length

Check the length of a string value based on a minimum and maximum length.

min: an integer to define the minimum allowed length.

max: an integer to define the maximum allowed length.

trim-disabled: a boolean to define whether the value is trimmed prior to validation.

integer

Check if the value is an integer and within a lower and/or upper range. If no range is defined, the validator only checks whether the value is a valid number.

min: an integer to define the lower range.

max: an integer to define the upper range.

double

Check if the value is a double and within a lower and/or upper range. If no range is defined, the validator only checks whether the value is a valid number.

min: an integer to define the lower range.

max: an integer to define the upper range.

uri

Check if the value is a valid URI.

None

pattern

Check if the value matches a specific RegEx pattern.

pattern: the RegEx pattern to use when validating values.

error-message: the key of the error message in i18n bundle. If not set a generic message is used.

email

Check if the value has a valid e-mail format.

max-local-length: an integer to define the maximum length for the local part of the email. It defaults to 64 per specification.

local-date

Check if the value has a valid format based on the realm and/or user locale.

None

iso-date

Check if the value has a valid format based on ISO 8601. This validator can be used with inputs using the html5-date input type.

None

person-name-prohibited-characters

Check if the value is a valid person name as an additional barrier for attacks such as script injection. The validation is based on a default RegEx pattern that blocks characters not common in person names.

error-message: the key of the error message in i18n bundle. If not set a generic message is used.

username-prohibited-characters

Check if the value is a valid username as an additional barrier for attacks such as script injection. The validation is based on a default RegEx pattern that blocks characters not common in usernames. When the realm setting Email as username is enabled, this validator is skipped to allow email values.

error-message: the key of the error message in i18n bundle. If not set a generic message is used.

options

Check if the value is from the defined set of allowed values. Useful to validate values entered through select and multiselect fields.

options: array of strings containing allowed values.

up-username-not-idn-homograph

The field can contain only latin characters and common unicode characters. Useful for the fields, which can be subject of IDN homograph attacks (typically username).

error-message: the key of the error message in i18n bundle. If not set a generic message is used.

multivalued

Validates the size of a multivalued attribute.

min: an integer to define the minimum allowed count of attribute values.

max: an integer to define the maximum allowed count of attribute values.

Defining UI Annotations

In order to pass additional information to frontends, attributes can be decorated with annotations to dictate how attributes are rendered. This capability is mainly useful when extending Keycloak themes to render pages dynamically based on the annotations associated with attributes.

Annotations are used, for example, for Changing the HTML type for an Attribute and Changing the DOM representation of an Attribute, as you will see in the following sections.

Attribute Annotation

user profile annotation

An annotation is a key/value pair shared with the UI so that they can change how the HTML element corresponding to the attribute is rendered. You can set any annotation you want to an attribute as long as the annotation is supported by the theme your realm is using.

The only restriction you have is to avoid using annotations using the kc prefix in their keys because these annotations using this prefix are reserved for Keycloak.

Built-in Annotations

The following annotations are supported by Keycloak built-in themes:

Name Description

inputType

Type of the form input field. Available types are described in a table below.

inputHelperTextBefore

Helper text rendered before (above) the input field. Direct text or internationalization pattern (like ${i18n.key}) can be used here. Text is NOT html escaped when rendered into the page, so you can use html tags here to format the text, but you also have to correctly escape html control characters.

inputHelperTextAfter

Helper text rendered after (under) the input field. Direct text or internationalization pattern (like ${i18n.key}) can be used here. Text is NOT html escaped when rendered into the page, so you can use html tags here to format the text, but you also have to correctly escape html control characters.

inputOptionsFromValidation

Annotation for select and multiselect types. Optional name of custom attribute validation to get input options from. See detailed description below.

inputOptionLabelsI18nPrefix

Annotation for select and multiselect types. Internationalization key prefix to render options in UI. See detailed description below.

inputOptionLabels

Annotation for select and multiselect types. Optional map to define UI labels for options (directly or using internationalization). See detailed description below.

inputTypePlaceholder

HTML input placeholder attribute applied to the field - specifies a short hint that describes the expected value of an input field (e.g. a sample value or a short description of the expected format). The short hint is displayed in the input field before the user enters a value.

inputTypeSize

HTML input size attribute applied to the field - specifies the width, in characters, of a single line input field. For fields based on HTML select type it specifies number of rows with options shown. May not work, depending on css in used theme!

inputTypeCols

HTML input cols attribute applied to the field - specifies the width, in characters, for textarea type. May not work, depending on css in used theme!

inputTypeRows

HTML input rows attribute applied to the field - specifies the height, in characters, for textarea type. For select fields it specifies number of rows with options shown. May not work, depending on css in used theme!

inputTypePattern

HTML input pattern attribute applied to the field providing client side validation - specifies a regular expression that an input field’s value is checked against. Useful for single line inputs.

inputTypeMaxLength

HTML input maxlength attribute applied to the field providing client side validation - maximal length of the text which can be entered into the input field. Useful for text fields.

inputTypeMinLength

HTML input minlength attribute applied to the field providing client side validation - minimal length of the text which can be entered into the input field. Useful for text fields.

inputTypeMax

HTML input max attribute applied to the field providing client side validation - maximal value which can be entered into the input field. Useful for numeric fields.

inputTypeMin

HTML input min attribute applied to the field providing client side validation - minimal value which can be entered into the input field. Useful for numeric fields.

inputTypeStep

HTML input step attribute applied to the field - Specifies the interval between legal numbers in an input field. Useful for numeric fields.

Number Format

If set, the data-kcNumberFormat attribute is added to the field to format the value based on a given format. This annotation is targeted for numbers where the format is based on the number of digits expected in a determined position. For instance, a format ({2}) {5}-{4} will format the field value to (00) 00000-0000.

Number UnFormat

If set, the data-kcNumberUnFormat attribute is added to the field to format the value based on a given format before submitting the form. This annotation is useful if you do not want to store any format for a specific attribute but only format the value on the client side. For instance, if the current value is (00) 00000-0000, the value will change to 00000000000 if you set the value {11} to this annotation or any other format you want by specifying a set of one or more group of digits. Make sure to add validators to perform server-side validations before storing values.

Field types use HTML form field tags and attributes applied to them - they behave based on the HTML specifications and browser support for them.

Visual rendering also depends on css styles applied in the used theme.

Changing the HTML type for an Attribute

You can change the type of a HTML5 input element by setting the inputType annotation. The available types are:

Name Description HTML tag used

text

Single line text input.

input

textarea

Multiple line text input.

textarea

select

Common single select input. See description how to configure options below.

select

select-radiobuttons

Single select input through group of radio buttons. See description how to configure options below.

group of input

multiselect

Common multiselect input. See description how to configure options below.

select

multiselect-checkboxes

Multiselect input through group of checkboxes. See description how to configure options below.

group of input

html5-email

Single line text input for email address based on HTML 5 spec.

input

html5-tel

Single line text input for phone number based on HTML 5 spec.

input

html5-url

Single line text input for URL based on HTML 5 spec.

input

html5-number

Single line input for number (integer or float depending on step) based on HTML 5 spec.

input

html5-range

Slider for number entering based on HTML 5 spec.

input

html5-datetime-local

Date Time input based on HTML 5 spec.

input

html5-date

Date input based on HTML 5 spec.

input

html5-month

Month input based on HTML 5 spec.

input

html5-week

Week input based on HTML 5 spec.

input

html5-time

Time input based on HTML 5 spec.

input

Defining options for select and multiselect fields

Options for select and multiselect fields are taken from validation applied to the attribute to be sure validation and field options presented in UI are always consistent. By default, options are taken from built-in options validation.

You can use various ways to provide nice human-readable labels for select and multiselect options. The simplest case is when attribute values are same as UI labels. No extra configuration is necessary in this case.

Option values same as UI labels

user profile select options simple

When attribute value is kind of ID not suitable for UI, you can use simple internationalization support provided by inputOptionLabelsI18nPrefix annotation. It defines prefix for internationalization keys, option value is dot appended to this prefix.

Simple internationalization for UI labels using i18n key prefix

user profile select options simple i18n

Localized UI label texts for option value have to be provided by userprofile.jobtitle.sweng and userprofile.jobtitle.swarch keys then, using common localization mechanism.

You can also use inputOptionLabels annotation to provide labels for individual options. It contains a map of labels for option - key in the map is option value (defined in validation), and value in the map is UI label text itself or its internationalization pattern (like ${i18n.key}) for that option.

You have to use User Profile JSON Editor to enter map as inputOptionLabels annotation value.

Example of directly entered labels for individual options without internationalization:

"attributes": [
<...
{
  "name": "jobTitle",
  "validations": {
    "options": {
      "options":[
        "sweng",
        "swarch"
      ]
    }
  },
  "annotations": {
    "inputType": "select",
    "inputOptionLabels": {
      "sweng": "Software Engineer",
      "swarch": "Software Architect"
    }
  }
}
...
]

Example of the internationalized labels for individual options:

"attributes": [
...
{
  "name": "jobTitle",
  "validations": {
    "options": {
      "options":[
        "sweng",
        "swarch"
      ]
    }
  },
  "annotations": {
    "inputType": "select-radiobuttons",
    "inputOptionLabels": {
      "sweng": "${jobtitle.swengineer}",
      "swarch": "${jobtitle.swarchitect}"
    }
  }
}
...
]

Localized texts have to be provided by jobtitle.swengineer and jobtitle.swarchitect keys then, using common localization mechanism.

Custom validator can be used to provide options thanks to inputOptionsFromValidation attribute annotation. This validation have to have options config providing array of options. Internationalization works the same way as for options provided by built-in options validation.

Options provided by custom validator

user profile select options custom validator

Changing the DOM representation of an Attribute

You can enable additional client-side behavior by setting annotations with the kc prefix. These annotations are going to translate into an HTML attribute in the corresponding element of an attribute, prefixed with data-, and a script with the same name will be loaded to the dynamic pages so that you can select elements from the DOM based on the custom data- attribute and decorate them accordingly by modifying their DOM representation.

For instance, if you add a kcMyCustomValidation annotation to an attribute, the HTML attribute data-kcMyCustomValidation is added to the corresponding HTML element for the attribute, and a JavaScript module is loaded from your custom theme at <THEME TYPE>/resources/js/kcMyCustomValidation.js. See the Server Developer Guide for more information about how to deploy a custom JavaScript module to your theme.

The JavaScript module can run any code to customize the DOM and the elements rendered for each attribute. For that, you can use the userProfile.js module to register an annotation descriptor for your custom annotation as follows:

import { registerElementAnnotatedBy } from "./userProfile.js";

registerElementAnnotatedBy({
  name: 'kcMyCustomValidation',
  onAdd(element) {
    var listener = function (event) {
        // do something on keyup
    };

    element.addEventListener("keyup", listener);

    // returns a cleanup function to remove the event listener
    return () => element.removeEventListener("keyup", listener);
  }
});

The registerElementAnnotatedBy is a method to register annotation descriptors. A descriptor is an object with a name, referencing the annotation name, and a onAdd function. Whenever the page is rendered or an attribute with the annotation is added to the DOM, the onAdd function is invoked so that you can customize the behavior for the element.

The onAdd function can also return a function to perform a cleanup. For instance, if you are adding event listeners to elements, you might want to remove them in case the element is removed from the DOM.

Alternatively, you can also use any JavaScript code you want if the userProfile.js is not enough for your needs:

document.querySelectorAll(`[data-kcMyCustomValidation]`).forEach((element) => {
    var listener = function (evt) {
        // do something on keyup
    };

    element.addEventListener("keyup", listener);
  });

Managing Attribute Groups

At the Attribute Groups sub-tab you can create, edit, and delete attribute groups. An attribute group allows you to define a container for correlated attributes so that they are rendered together when at the user-facing forms.

Attribute Group List

user profile attribute group list

You can’t delete attribute groups that are bound to attributes. For that, you should first update the attributes to remove the binding.

To create a new group, click on the Create attributes group button on the top of the attribute groups listing.

Attribute Group Configuration

user profile create attribute group

When configuring the group you can define the following settings:

Name

The name of the attribute, used to uniquely identify an attribute.

Display name

A user-friendly name for the attribute, mainly used when rendering user-facing forms. It also supports Using Internationalized Messages

Display description

A user-friendly text that will be displayed as a tooltip when rendering user-facing forms. It also supports Using Internationalized Messages

Annotation

In this section, you can associate annotations to the attribute. Annotations are mainly useful to pass over additional metadata to frontends for rendering purposes.

Using the JSON configuration

The user profile configuration is stored using a well-defined JSON schema. You can choose from editing the user profile configuration directly by clicking on the JSON Editor sub-tab.

JSON Configuration

user profile json config

The JSON schema is defined as follows:

{
  "unmanagedAttributePolicy": "DISABLED",
  "attributes": [
    {
      "name": "myattribute",
      "multivalued": false,
      "displayName": "My Attribute",
      "group": "personalInfo",
      "required": {
        "roles": [ "user", "admin" ],
        "scopes": [ "foo", "bar" ]
      },
      "permissions": {
        "view": [ "admin", "user" ],
        "edit": [ "admin", "user" ]
      },
      "validations": {
        "email": {
          "max-local-length": 64
        },
        "length": {
          "max": 255
        }
      },
      "annotations": {
        "myannotation": "myannotation-value"
      }
    }
  ],
  "groups": [
    {
      "name": "personalInfo",
      "displayHeader": "Personal Information",
      "annotations": {
        "foo": ["foo-value"],
        "bar": ["bar-value"]
      }
    }
  ]
}

The schema supports as many attributes and groups as you need.

The unmanagedAttributePolicy property defines the unmanaged attribute policy by setting one of following values. For more details, look at the Understanding Managed and Unmanaged Attributes.

  • DISABLED

  • ENABLED

  • ADMIN_VIEW

  • ADMIN_EDIT

Attribute Schema

For each attribute you should define a name and, optionally, the required, permission, and the annotations settings.

The required property defines whether an attribute is required. Keycloak allows you to set an attribute as required based on different conditions.

When the required property is defined as an empty object, the attribute is always required.

{
  "attributes": [
    {
      "name": "myattribute",
      "required": {}
  ]
}

On the other hand, you can choose to make the attribute required only for users, or administrators, or both. As well as mark the attribute as required only in case a specific scope is requested when the user is authenticating in Keycloak.

To mark an attribute as required for a user and/or administrator, set the roles property as follows:

{
  "attributes": [
    {
      "name": "myattribute",
      "required": {
        "roles": ["user"]
      }
  ]
}

The roles property expects an array whose values can be either user or admin, depending on whether the attribute is required by the user or the administrator, respectively.

Similarly, you can choose to make the attribute required when a set of one or more scopes is requested by a client when authenticating a user. For that, you can use the scopes property as follows:

{
  "attributes": [
    {
      "name": "myattribute",
      "required": {
        "scopes": ["foo"]
      }
  ]
}

The scopes property is an array whose values can be any string representing a client scope.

The attribute-level permissions property can be used to define the read and write permissions to an attribute. The permissions are set based on whether these operations can be performed on the attribute by a user, or administrator, or both.

{
  "attributes": [
    {
      "name": "myattribute",
      "permissions": {
        "view": ["admin"],
        "edit": ["user"]
      }
  ]
}

Both view and edit properties expect an array whose values can be either user or admin, depending on whether the attribute is viewable or editable by the user or the administrator, respectively.

When the edit permission is granted, the view permission is implicitly granted.

The attribute-level annotation property can be used to associate additional metadata to attributes. Annotations are mainly useful for passing over additional information about attributes to frontends rendering user attributes based on the user profile configuration. Each annotation is a key/value pair.

{
  "attributes": [
    {
      "name": "myattribute",
      "annotations": {
        "foo": ["foo-value"],
        "bar": ["bar-value"]
      }
  ]
}
Attribute Group Schema

For each attribute group you should define a name and, optionally, the annotations settings.

The attribute-level annotation property can be used to associate additional metadata to attributes. Annotations are mainly useful for passing over additional information about attributes to frontends rendering user attributes based on the user profile configuration. Each annotation is a key/value pair.

Customizing How UIs are Rendered

The UIs from all the user profile contexts (including the administration console) are rendered dynamically accordingly to your user profile configuration.

The default rendering mechanism provides the following capabilities:

  • Show or hide fields based on the permissions set to attributes.

  • Render markers for required fields based on the constraints set to the attributes.

  • Change the field input type (text, date, number, select, multiselect) set to an attribute.

  • Mark fields as read-only depending on the permissions set to an attribute.

  • Order fields depending on the order set to the attributes.

  • Group fields that belong to the same attribute group.

  • Dynamically group fields that belong to the same attribute group.

Ordering attributes

The attribute order is set by dragging and dropping the attribute rows on the attribute listing page.

Ordering Attributes

user profile attribute list order

The order you set in this page is respected when fields are rendered in dynamic forms.

Grouping attributes

When dynamic forms are rendered, they will try to group together attributes that belong to the same attribute group.

Dynamic Update Profile Form

user profile update profile

When attributes are linked to an attribute group, the attribute order is also important to make sure attributes within the same group are close together, within a same group header. Otherwise, if attributes within a group do not have a sequential order you might have the same group header rendered multiple times in the dynamic form.

Enabling Progressive Profiling

In order to make sure end-user profiles are in compliance with the configuration, administrators can use the VerifyProfile required action to eventually force users to update their profiles when authenticating to Keycloak.

The VerifyProfile action is similar to the UpdateProfile action. However, it leverages all the capabilities provided by the user profile to automatically enforce compliance with the user profile configuration.

When enabled, the VerifyProfile action is going to perform the following steps when the user is authenticating:

  • Check whether the user profile is fully compliant with the user profile configuration set to the realm. That means running validations and make sure all of them are successful.

  • If not, perform an additional step during the authentication so that the user can update any missing or invalid attribute.

  • If the user profile is compliant with the configuration, no additional step is performed, and the user continues with the authentication process.

The VerifyProfile action is enabled by default. To disable it, click on the Authentication link on the left side menu and then click on the Required Actions tab. At this tab, use the Enabled switch of the VerifyProfile action to disable it.

Registering the VerifyProfile Required Action

user profile register verify profile action

Using Internationalized Messages

If you want to use internationalized messages when configuring attributes, attributes groups, and annotations, you can set their display name, description, and values, using a placeholder that will translate to a message from a message bundle.

For that, you can use a placeholder to resolve messages keys such as ${myAttributeName}, where myAttributeName is the key for a message in a message bundle. For more details, look at Server Developer Guide about how to add message bundles to custom themes.

Defining user credentials

You can manage credentials of a user in the Credentials tab.

Credential management

user credentials

You change the priority of credentials by dragging and dropping rows. The new order determines the priority of the credentials for that user. The topmost credential has the highest priority. The priority determines which credential is displayed first after a user logs in.

Type

This column displays the type of credential, for example password or OTP.

User Label

This is an assignable label to recognize the credential when presented as a selection option during login. It can be set to any value to describe the credential.

Data

This is the non-confidential technical information about the credential. It is hidden, by default. You can click Show data…​ to display the data for a credential.

Actions

Click Reset password to change the password for the user and Delete to remove the credential.

You cannot configure other types of credentials for a specific user in the Admin Console; that task is the user’s responsibility.

You can delete the credentials of a user in the event a user loses an OTP device or if credentials have been compromised. You can only delete credentials of a user in the Credentials tab.

Setting a password for a user

If a user does not have a password, or if the password has been deleted, the Set Password section is displayed.

If a user already has a password, it can be reset in the Reset Password section.

Procedure
  1. Click Users in the menu. The Users page is displayed.

  2. Select a user.

  3. Click the Credentials tab.

  4. Type a new password in the Set Password section.

  5. Click Set Password.

    If Temporary is ON, the user must change the password at the first login. To allow users to keep the password supplied, set Temporary to OFF. The user must click Set Password to change the password.

Requesting a user reset a password

You can also request that the user reset the password.

Procedure
  1. Click Users in the menu. The Users page is displayed.

  2. Select a user.

  3. Click the Credentials tab.

  4. Click Credential Reset.

  5. Select Update Password from the list.

  6. Click Send Email. The sent email contains a link that directs the user to the Update Password window.

  7. Optionally, you can set the validity of the email link. This is set to the default preset in the Tokens tab in Realm Settings.

Creating an OTP

If OTP is conditional in your realm, the user must navigate to Keycloak Account Console to reconfigure a new OTP generator. If OTP is required, then the user must reconfigure a new OTP generator when logging in.

Alternatively, you can send an email to the user that requests the user reset the OTP generator. The following procedure also applies if the user already has an OTP credential.

Prerequisite
  • You are logged in to the appropriate realm.

Procedure
  1. Click Users in the main menu. The Users page is displayed.

  2. Select a user.

  3. Click the Credentials tab.

  4. Click Credential Reset.

  5. Set Reset Actions to Configure OTP.

  6. Click Send Email. The sent email contains a link that directs the user to the OTP setup page.

Allowing users to self-register

You can use Keycloak as a third-party authorization server to manage application users, including users who self-register. If you enable self-registration, the login page displays a registration link so that user can create an account.

Registration link

registration link

A user must add profile information to the registration form to complete registration. The registration form can be customized by removing or adding the fields that must be completed by a user.

Clarification on identity brokering and admin API

Even when self-registrations is disabled, new users can be still added to Keycloak by either:

  • Administrator can add new users with the usage of admin console (or admin REST API)

  • When identity brokering is enabled, new users authenticated by identity provider may be automatically added/registered in Keycloak storage. See the First login flow section in the Identity Brokering chapter for more information.

Also users coming from the 3rd-party user storage (for example LDAP) are automatically available in Keycloak when the particular user storage is enabled

Additional resources

Enabling user registration

Enable users to self-register.

Procedure
  1. Click Realm Settings in the main menu.

  2. Click the Login tab.

  3. Toggle User Registration to ON.

After you enable this setting, a Register link displays on the login page of the Admin Console.

Registering as a new user

As a new user, you must complete a registration form to log in for the first time. You add profile information and a password to register.

Registration form

registration form

Prerequisite
  • User registration is enabled.

Procedure
  1. Click the Register link on the login page. The registration page is displayed.

  2. Enter the user profile information.

  3. Enter the new password.

  4. Click Register.

Requiring user to agree to terms and conditions during registration

For a user to register, you can require agreement to your terms and conditions.

Registration form with required terms and conditions agreement

registration form with required tac

Prerequisite
  • User registration is enabled.

  • Terms and conditions required action is enabled.

Procedure
  1. Click Authentication in the menu. Click the Flows tab.

  2. Click the registration flow.

  3. Select Required on the Terms and Conditions row.

    Make the terms and conditions agreement required at registration

    require tac agreement at registration

Defining actions required at login

You can set the actions that a user must perform at the first login. These actions are required after the user provides credentials. After the first login, these actions are no longer required. You add required actions on the Details tab of that user.

Some required actions are automatically triggered for the user during login even if they are not explicitly added to this user by the administrator. For example Update password action can be triggered if Password policies are configured in a way that the user password needs to be changed every X days. Or verify profile action can require the user to update the User profile as long as some user attributes do not match the requirements according to the user profile configuration.

The following are examples of required action types:

Update Password

The user must change their password.

Configure OTP

The user must configure a one-time password generator on their mobile device using either the Free OTP or Google Authenticator application.

Verify Email

The user must verify their email account. An email will be sent to the user with a validation link that they must click. Once this workflow is successfully completed, the user will be allowed to log in.

Update Profile

The user must update profile information, such as name, address, email, and phone number.

Some actions do not makes sense to be added to the user account directly. For example, the Update User Locale is a helper action to handle some localization related parameters. Another example is the Delete Credential action, which is supposed to be triggered as a Parameterized AIA. Regarding this one, if the administrator wants to delete the credential of some user, that administrator can do it directly in the Admin Console. The Delete Credential action is dedicated to be used for example by the Keycloak Account Console.

Setting required actions for one user

You can set the actions that are required for any user.

Procedure
  1. Click Users in the menu.

  2. Select a user from the list.

  3. Navigate to the Required User Actions list.

    user required action

  4. Select all the actions you want to add to the account.

  5. Click the X next to the action name to remove it.

  6. Click Save after you select which actions to add.

Setting required actions for all users

You can specify what actions are required before the first login of all new users. The requirements apply to a user created by the Add User button on the Users page or the Register link on the login page.

Procedure
  1. Click Authentication in the menu.

  2. Click the Required Actions tab.

  3. Click the checkbox in the Set as default action column for one or more required actions. When a new user logs in for the first time, the selected actions must be executed.

Enabling terms and conditions as a required action

You can enable a required action that new users must accept the terms and conditions before logging in to Keycloak for the first time.

Procedure
  1. Click Authentication in the menu.

  2. Click the Required Actions tab.

  3. Enable the Terms and Conditions action.

  4. Edit the terms.ftl file in the base login theme.

Additional resources

Application initiated actions

Application initiated actions (AIA) allow client applications to request a user to perform an action on the Keycloak side. Usually, when an OIDC client application wants a user to log in, it redirects that user to the login URL as described in the OIDC section. After login, the user is redirected back to the client application. The user performs the actions that were required by the administrator as described in the previous section and then is immediately redirected back to the application. However, AIA allows the client application to request some required actions from the user during login. This can be done even if the user is already authenticated on the client and has an active SSO session. It is triggered by adding the kc_action parameter to the OIDC login URL with the value containing the requested action. For instance kc_action=UPDATE_PASSWORD parameter.

A user may cancel an application initiated action. In this case the user is redirected back to the client application. The redirect URI will contain the query parameters kc_action_status=cancelled and kc_action with the name of the cancelled action.

The kc_action and kc_action_status parameters are a Keycloak proprietary mechanism unsupported by the OIDC specification.
Application initiated actions are supported only for OIDC clients.

So if AIA is used, an example flow is similar to the following:

  • A client application redirects the user to the OIDC login URL with the additional parameter such as kc_action=UPDATE_PASSWORD

  • There is a browser flow always triggered as described in the Authentication flows section. If the user was not authenticated, that user needs to authenticate as during normal login. In case the user was already authenticated, that user might be automatically re-authenticated by an SSO cookie without needing to actively re-authenticate and supply the credentials again. In this case, that user will be directly redirected to the screen with the particular action (update password in this case). However, in some cases, active re-authentication is required even if the user has an SSO cookie (See below for the details).

  • The screen with particular action (in this case update password) is displayed to the user, so that user needs to perform a particular action

  • Then user is redirected back to the client application

Note that AIA are used by the Keycloak Account Console to request update password or to reset other credentials such as OTP or WebAuthn.

Even if the parameter kc_action was used, it is not sufficient to assume that the user always performs the action. For example, a user could have manually deleted the kc_action parameter from the browser URL. Therefore, no guarantee exists that the user has an OTP for the account after the client requested kc_action=CONFIGURE_TOTP. If you want to verify that the user configured two-factor authenticator, the client application may need to check it was configured. For instance by checking the claims like acr in the tokens.

Re-authentication during AIA

In case the user is already authenticated due to an active SSO session, that user usually does not need to actively re-authenticate. However, if that user actively authenticated longer than five minutes ago, the client can still request re-authentication when some AIA is requested. Exceptions exist from this guideline as follows:

  • The action delete_account will always require the user to actively re-authenticate

  • The action update_password might require the user to actively re-authenticate according to the configured Maximum Authentication Age Password policy. In case the policy is not configured, it is also possible to configure it on the required action itself in the Required actions tab when configuring the particular required action. If the policy is not configured in any of those places, it defaults to five minutes.

  • If you want to use a shorter re-authentication, you can still use a parameter query parameter such as max_age with the specified shorter value or eventually prompt=login, which will always require user to actively re-authenticate as described in the OIDC specification. Note that using max_age for a longer value than the default five minutes (or the one prescribed by password policy) is not supported. The max_age can be currently used only to make the value shorter than the default five minutes.

  • If Step-up authentication is enabled and the action is to add or delete a credential, authentication is required with the level corresponding to the given credential. This requirement exists in case the user already has the credential of the particular level. For example, if otp and webauthn are configured in the authentication flow as 2nd-factor authenticators (both in the authentication flow at level 2) and the user already has a 2nd-factor credential (otp or webauthn in this case), the user is required to authenticate with an existing 2nd-factor credential to add another 2nd-level credential. In the same manner, deleting an existing 2nd-factor credential (otp or webauthn in this case), authentication with an existing 2nd-factor level credential is required. The requirement exists for security reasons.

Parameterized AIA

Some AIA can require the parameter to be sent together with the action name. For instance, the Delete Credential action can be triggered only by AIA and it requires a parameter to be sent together with the name of the action, which points to the ID of the removed credential. So the URL for this example would be kc_action=delete_credential:ce1008ac-f811-427f-825a-c0b878d1c24b. In this case, the part after the colon character (ce1008ac-f811-427f-825a-c0b878d1c24b) contains the ID of the credential of the particular user, which is to be deleted. The Delete Credential action displays the confirmation screen where the user can confirm agreement to delete the credential.

The Keycloak Account Console typically uses the Delete Credential action when deleting a 2nd-factor credential. You can check the Account Console for examples if you want to use this action directly from your own applications. However, relying on the Account Console is best instead of managing credentials from your own applications.

Available actions

To see all available actions, log in to the Admin Console and go to the top right top corner to click Realm info → tab Provider info → Find provider required-action . But note that this can be further restricted based on what actions are enabled for your realm in the Required actions tab.

Searching for a user

Search for a user to view detailed information about the user, such as the user’s groups and roles.

Prerequisite
  • You are in the realm where the user exists.

Procedure
  1. Click Users in the main menu. This Users page is displayed.

  2. Type the full name, last name, first name, or email address of the user you want to search for in the search box. The search returns all users that match your criteria.

    The criteria used to match users depends on the syntax used on the search box:

    1. "somevalue" → performs exact search of the string "somevalue";

    2. *somevalue* → performs infix search, akin to a LIKE '%somevalue%' DB query;

    3. somevalue* or somevalue → performs prefix search, akin to a LIKE 'somevalue%' DB query.

Procedure
  1. Click Users in the main menu. This Users page is displayed.

  2. Click Default search button and switch it to Attribute search.

  3. Click Select attributes button and specify the attributes to search by.

  4. Check Exact search checkbox to perform exact match or keep it unchecked to use an infix search for attribute values.

  5. Click Search button to perform the search. It returns all users that match the criteria.

Searches performed in the Users page encompass both Keycloak’s database and configured user federation backends, such as LDAP. Users found in federated backends will be imported into Keycloak’s database if they don’t already exist there.

Additional Resources

Deleting a user

You can delete a user, who no longer needs access to applications. If a user is deleted, the user profile and data is also deleted.

Procedure
  1. Click Users in the menu. The Users page is displayed.

  2. Click View all users to find a user to delete.

    Alternatively, you can use the search bar to find a user.
  3. Click Delete from the action menu next to the user you want to remove and confirm deletion.

Enabling account deletion by users

End users and applications can delete their accounts in the Account Console if you enable this capability in the Admin Console. Once you enable this capability, you can give that capability to specific users.

Enabling the Delete Account Capability

You enable this capability on the Required Actions tab.

Procedure
  1. Click Authentication in the menu.

  2. Click the Required Actions tab.

  3. Select Enabled on the Delete Account row.

    Delete account on required actions tab

    enable delete account action

Giving a user the delete-account role

You can give specific users a role that allows account deletion.

Procedure
  1. Click Users in the menu.

  2. Select a user.

  3. Click the Role Mappings tab.

  4. Click the Assign role button.

  5. Click account delete-account.

  6. Click Assign.

    Delete-account role

    delete-account role

Deleting your account

Once you have the delete-account role, you can delete your own account.

  1. Log into the Account Console.

  2. At the bottom of the Personal Info page, click Delete Account.

    Delete account page

    Delete account page

  3. Enter your credentials and confirm the deletion.

    Delete confirmation

    delete account confirm

    This action is irreversible. All your data in Keycloak will be removed.

Impersonating a user

An administrator with the appropriate permissions can impersonate a user. For example, if a user experiences a bug in an application, an administrator can impersonate the user to investigate or duplicate the issue.

Any user with the impersonation role in the realm can impersonate a user.

Procedure
  1. Click Users in the menu.

  2. Click a user to impersonate.

  3. From the Actions list, select Impersonate.

    user impersonate action

    • If the administrator and the user are in the same realm, then the administrator will be logged out and automatically logged in as the user being impersonated.

    • If the administrator and user are in different realms, the administrator will remain logged in, and additionally will be logged in as the user in that user’s realm.

In both instances, the Account Console of the impersonated user is displayed.

Additional resources

Enabling reCAPTCHA

To safeguard registration against bots, Keycloak has integration with Google reCAPTCHA (see Setting up Google reCAPTCHA) and reCAPTCHA Enterprise (see Setting up Google reCAPTCHA Enterprise). The default theme (register.ftl) supports both v2 (visible, checkbox-based) and v3 (score-based, invisible) reCAPTCHA (see Choose the appropriate reCAPTCHA key type).

Setting up Google reCAPTCHA

  1. Enter the following URL in a browser:

    https://www.google.com/recaptcha/admin/create
  2. Create a reCAPTCHA and choose between Challenge v2 (visible checkbox) or Score-based, v3 (invisible) to get your reCAPTCHA site key and secret. Note them down for future use in this procedure.

    The localhost works by default. You do not have to specify a domain.
  3. Navigate to the Keycloak admin console.

  4. Click Authentication in the menu.

  5. Click the Flows tab.

  6. Select Registration from the list.

  7. Set the reCAPTCHA requirement to Required. This enables reCAPTCHA.

  8. Click the gear icon ⚙️ on the reCAPTCHA row.

    reCAPTCHA config

    recaptcha config

    1. Enter the reCAPTCHA Site Key generated from the Google reCAPTCHA website.

    2. Enter the reCAPTCHA Secret generated from the Google reCAPTCHA website.

    3. Toggle reCAPTCHA v3 according to your Site Key type: on for score-based reCAPTCHA (v3), off for challenge reCAPTCHA (v2).

    4. (Optional) Toggle Use recaptcha.net to use www.recatcha.net instead of www.google.com domain for cookies. See reCAPTCHA faq for more information.

  9. Authorize Google to use the registration page as an iframe.

    In Keycloak, websites cannot include a login page dialog in an iframe. This restriction is to prevent clickjacking attacks. You need to change the default HTTP response headers that is set in Keycloak.
    1. Click Realm Settings in the menu.

    2. Click the Security Defenses tab.

    3. Enter https://www.google.com in the field for the X-Frame-Options header (or https//www.recaptcha.net if you enabled Use recaptcha.net).

    4. Enter https://www.google.com in the field for the Content-Security-Policy header (or https//www.recaptcha.net if you enabled Use recaptcha.net).

Setting up Google reCAPTCHA Enterprise

  1. Enter the following URL in a browser:

    https://developers.google.com/recaptcha/
  2. Create a key for a "Website" platform, and choose the desired key type. Leave the defaults for v3 reCAPTCHA (invisible), or toggle Use checkbox challenge for a v2 reCAPTCHA (visible). Note the site key for future use in this procedure.

    The localhost works by default. You do not have to specify a domain.
  3. On your Google Cloud Project, go to Credentials and create an API key.

    For better security, click on edit api key and add an API restriction to restrict the key to the reCAPTCHA Enterprise API only.
  4. Navigate to the Keycloak Admin Console.

  5. Click Authentication in the menu.

  6. Click the Flows tab.

  7. Duplicate the "registration" flow.

  8. Bind the new flow to the Registration flow.

  9. Edit the new flow:

    1. Delete the reCAPTCHA step.

    2. Add the step reCAPTCHA Enterprise as a sub-step of "registration form" (first step of the flow).

  10. Set the reCAPTCHA Enterprise requirement to Required.

  11. Click the gear icon ⚙️ on the reCAPTCHA Enterprise row.

    reCAPTCHA Enterprise config

    recaptcha enterprise config

    1. Enter the Recaptcha Project ID of your Google Cloud console project.

    2. Enter the Recaptcha Site Key generated at the beginning of the procedure.

    3. Enter the Recaptcha API Key generated at the beginning of the procedure.

    4. Toggle reCAPTCHA v3 according to your Site Key type: on for score-based reCAPTCHA (v3), off for challenge reCAPTCHA (v2).

    5. (Optional) Customize the Min. Score Threshold as you see fit. Set it to the minimum score, between 0.0 and 1.0, that a user should achieve on reCAPTCHA to be allowed to register. See interpret scores.

    6. (Optional) Toggle Use recaptcha.net to use www.recatcha.net instead of www.google.com domain for cookies. See reCAPTCHA faq for more information.

  12. Authorize Google to use the registration page as an iframe. See the last steps of Setting up Google reCAPTCHA for a detailed procedure.

Additional resources

Personal data collected by Keycloak

By default, Keycloak collects the following data:

  • Basic user profile data, such as the user email, first name, and last name.

  • Basic user profile data used for social accounts and references to the social account when using a social login.

  • Device information collected for audit and security purposes, such as the IP address, operating system name, and the browser name.

The information collected in Keycloak is highly customizable. The following guidelines apply when making customizations:

  • Registration and account forms can contain custom fields, such as birthday, gender, and nationality. An administrator can configure Keycloak to retrieve data from a social provider or a user storage provider such as LDAP.

  • Keycloak collects user credentials, such as password, OTP codes, and WebAuthn public keys. This information is encrypted and saved in a database, so it is not visible to Keycloak administrators. Each type of credential can include non-confidential metadata that is visible to administrators such as the algorithm that is used to hash the password and the number of hash iterations used to hash the password.

  • With authorization services and UMA support enabled, Keycloak can hold information about some objects for which a particular user is the owner.

Managing user sessions

When users log into realms, Keycloak maintains a user session for each user and remembers each client visited by the user within the session. Realm administrators can perform multiple actions on each user session:

  • View login statistics for the realm.

  • View active users and where they logged in.

  • Log a user out of their session.

  • Revoke tokens.

  • Set up token timeouts.

  • Set up session timeouts.

Administering sessions

To see a top-level view of the active clients and sessions in Keycloak, click Sessions from the menu.

Sessions

Sessions tab

Signing out all active sessions

You can sign out all users in the realm. From the Action list, select Sign out all active sessions. All SSO cookies become invalid. Keycloak notifies clients by using the Keycloak OIDC client adapter of the logout event. Clients requesting authentication within active browser sessions must log in again. Client types such as SAML do not receive a back-channel logout request.

Clicking Sign out all active sessions does not revoke outstanding access tokens. Outstanding tokens must expire naturally. For clients using the Keycloak OIDC client adapter, you can push a revocation policy to revoke the token, but this does not work for other adapters.

Viewing client sessions

Procedure
  1. Click Clients in the menu.

  2. Click a client to see that client’s sessions.

  3. Click the Sessions tab.

    Client sessions

    Client sessions

Viewing user sessions

Procedure
  1. Click Users in the menu.

  2. Click a user to see that user’s sessions.

  3. Click the Sessions tab.

    User sessions

    User sessions

Revoking active sessions

If your system is compromised, you can revoke all active sessions and access tokens.

Procedure
  1. Click Sessions in the menu.

  2. From the Actions list, select Revocation.

    Revocation

    Revocation

  3. Specify a time and date where sessions or tokens issued before that time and date are invalid using this console.

    • Click Set to now to set the policy to the current time and date.

    • Click Push to push this revocation policy to any registered OIDC client with the Keycloak OIDC client adapter.

Session and token timeouts

Keycloak includes control of the session, cookie, and token timeouts through the Sessions and Tokens tabs in the Realm settings menu.

Sessions tab

Sessions Tab

Configuration Description

SSO Session Idle

This setting is for OIDC clients only. If a user is inactive for longer than this timeout, the user session is invalidated. This timeout value resets when clients request authentication or send a refresh token request. Keycloak adds a window of time to the idle timeout before the session invalidation takes effect. See the note later in this section.

SSO Session Max

The maximum time before a user session expires.

SSO Session Idle Remember Me

This setting is similar to the standard SSO Session Idle configuration but specific to logins with Remember Me enabled. Users can specify longer session idle timeouts when they click Remember Me when logging in. This setting is an optional configuration and, if its value is not greater than zero, it uses the same idle timeout as the SSO Session Idle configuration.

SSO Session Max Remember Me

This setting is similar to the standard SSO Session Max but specific to Remember Me logins. Users can specify longer sessions when they click Remember Me when logging in. This setting is an optional configuration and, if its value is not greater than zero, it uses the same session lifespan as the SSO Session Max configuration.

Client Session Idle

Idle timeout for the client session. If the user is inactive for longer than this timeout, the client session is invalidated and the refresh token requests bump the idle timeout. This setting never affects the general SSO user session, which is unique. Note the SSO user session is the parent of zero or more client sessions, one client session is created for every different client app the user logs in. This value should specify a shorter idle timeout than the SSO Session Idle. Users can override it for individual clients in the Advanced Settings client tab. This setting is an optional configuration and, when set to zero, uses the same idle timeout in the SSO Session Idle configuration.

Client Session Max

The maximum time for a client session and before a refresh token expires and invalidates. As in the previous option, this setting never affects the SSO user session and should specify a shorter value than the SSO Session Max. Users can override it for individual clients in the Advanced Settings client tab. This setting is an optional configuration and, when set to zero, uses the same max timeout in the SSO Session Max configuration.

Offline Session Idle

This setting is for offline access. The amount of time the session remains idle before Keycloak revokes its offline token. Keycloak adds a window of time to the idle timeout before the session invalidation takes effect. See the note later in this section.

Offline Session Max Limited

This setting is for offline access. If this flag is Enabled, Offline Session Max can control the maximum time the offline token remains active, regardless of user activity. If the flag is Disabled, offline sessions never expire by lifespan, only by idle. Once this option is activated, the Offline Session Max (global option at realm level) and Client Offline Session Max (specific client level option in the Advanced Settings tab) can be configured.

Offline Session Max

This setting is for offline access, and it is the maximum time before Keycloak revokes the corresponding offline token. This option controls the maximum amount of time the offline token remains active, regardless of user activity.

Login timeout

The total time a logging in must take. If authentication takes longer than this time, the user must start the authentication process again.

Login action timeout

The Maximum time users can spend on any one page during the authentication process.

Tokens tab

Tokens Tab

Configuration Description

Default Signature Algorithm

The default algorithm used to assign tokens for the realm.

Revoke Refresh Token

When Enabled, Keycloak revokes refresh tokens and issues another token that the client must use. This action applies to OIDC clients performing the refresh token flow.

Access Token Lifespan

When Keycloak creates an OIDC access token, this value controls the lifetime of the token.

Access Token Lifespan For Implicit Flow

With the Implicit Flow, Keycloak does not provide a refresh token. A separate timeout exists for access tokens created by the Implicit Flow.

Client login timeout

The maximum time before clients must finish the Authorization Code Flow in OIDC.

User-Initiated Action Lifespan

The maximum time before a user’s action permission expires. Keep this value short because users generally react to self-created actions quickly.

Default Admin-Initiated Action Lifespan

The maximum time before an action permission sent to a user by an administrator expires. Keep this value long to allow administrators to send e-mails to offline users. An administrator can override the default timeout before issuing the token.

Email Verification

Specifies independent timeout for email verification.

IdP account email verification

Specifies independent timeout for IdP account email verification.

Forgot password

Specifies independent timeout for forgot password.

Execute actions

Specifies independent timeout for execute actions.

The following logic is only applied if persistent user sessions are not active:

For idle timeouts, a two-minute window of time exists that the session is active. For example, when you have the timeout set to 30 minutes, it will be 32 minutes before the session expires.

This action is necessary for some scenarios in cluster and cross-data center environments where the token refreshes on one cluster node a short time before the expiration and the other cluster nodes incorrectly consider the session as expired because they have not yet received the message about a successful refresh from the refreshing node.

Offline access

During offline access logins, the client application requests an offline token instead of a refresh token. The client application saves this offline token and can use it for future logins if the user logs out. This action is useful if your application needs to perform offline actions on behalf of the user even when the user is not online. For example, a regular data backup.

The client application is responsible for persisting the offline token in storage and then using it to retrieve new access tokens from the Keycloak server.

The difference between a refresh token and an offline token is that an offline token never expires and is not subject to the SSO Session Idle timeout and SSO Session Max lifespan. The offline token is valid after a user logout. You must use the offline token for a refresh token action at least once per thirty days or for the value of the Offline Session Idle.

If you enable Offline Session Max Limited, offline tokens expire after 60 days even if you use the offline token for a refresh token action. You can change this value, Offline Session Max, in the Admin Console.

When using offline access, client idle and max timeouts can be overridden at the client level. The options Client Offline Session Idle and Client Offline Session Max, in the client Advanced Settings tab, allow you to have a shorter offline timeouts for a specific application. Note that client session values also control the refresh token expiration but they never affect the global offline user SSO session. The option Client Offline Session Max is only evaluated in the client if Offline Session Max Limited is Enabled at the realm level.

If you enable the Revoke Refresh Token option, you can use each offline token once only. After refresh, you must store the new offline token from the refresh response instead of the previous one.

Users can view and revoke offline tokens that Keycloak grants them in the User Account Console. Administrators can revoke offline tokens for individual users in the Admin Console in the Consents tab. Administrators can view all offline tokens issued in the Offline Access tab of each client. Administrators can revoke offline tokens by setting a revocation policy.

To issue an offline token, users must have the role mapping for the realm-level offline_access role. Clients must also have that role in their scope. Clients must add an offline_access client scope as an Optional client scope to the role, which is done by default.

Clients can request an offline token by adding the parameter scope=offline_access when sending their authorization request to Keycloak. The Keycloak OIDC client adapter automatically adds this parameter when you use it to access your application’s secured URL (such as, http://localhost:8080/customer-portal/secured?scope=offline_access). The Direct Access Grant and Service Accounts support offline tokens if you include scope=offline_access in the authentication request body.

Keycloak will limit its internal cache for offline user and offline client sessions to 10000 entries by default, which will reduce the overall memory usage for offline sessions. Items which are evicted from memory will be loaded on-demand from the database when needed. To set different sizes for the caches, edit Keycloak’s cache config file to set a <memory max-count="..."/> for those caches.

If you disabled feature persistent-user-sessions, it is possible to reduce memory requirements using a configuration option that shortens lifespan for imported offline sessions. Such sessions will be evicted from the Infinispan caches after the specified lifespan, but still available in the database. This will lower memory consumption, especially for deployments with a large number of offline sessions.

To specify the lifespan override for offline user sessions, start Keycloak server with the following parameter:

--spi-user-sessions-infinispan-offline-session-cache-entry-lifespan-override=<lifespan-in-seconds>

Similarly for offline client sessions:

--spi-user-sessions-infinispan-offline-client-session-cache-entry-lifespan-override=<lifespan-in-seconds>

Transient sessions

You can conduct transient sessions in Keycloak. When using transient sessions, Keycloak does not create a user session after successful authentication. Keycloak creates a temporary, transient session for the scope of the current request that successfully authenticates the user. Keycloak can run protocol mappers using transient sessions after authentication.

The sid and session_state of the tokens are usually empty when the token is issued with transient sessions. So during transient sessions, the client application cannot refresh tokens or validate a specific session. Sometimes these actions are unnecessary, so you can avoid the additional resource use of persisting user sessions. This session saves performance, memory, and network communication (in cluster and cross-data center environments) resources.

At this moment, transient sessions are automatically used just during service account authentication with disabled token refresh. Note that token refresh is automatically disabled during service account authentication unless explicitly enabled by client switch Use refresh tokens for client credentials grant.

Assigning permissions using roles and groups

Roles and groups have a similar purpose, which is to give users access and permissions to use applications. Groups are a collection of users to which you apply roles and attributes. Roles define specific applications permissions and access control.

A role typically applies to one type of user. For example, an organization may include admin, user, manager, and employee roles. An application can assign access and permissions to a role and then assign multiple users to that role so the users have the same access and permissions. For example, the Admin Console has roles that give permission to users to access different parts of the Admin Console.

There is a global namespace for roles and each client also has its own dedicated namespace where roles can be defined.

Creating a realm role

Realm-level roles are a namespace for defining your roles. To see the list of roles, click Realm Roles in the menu.

roles

Procedure
  1. Click Create Role.

  2. Enter a Role Name.

  3. Enter a Description.

  4. Click Save.

Add role

Add role

The description field can be localized by specifying a substitution variable with ${var-name} strings. The localized value is configured to your theme within the themes property files. See the Server Developer Guide for more details.

Client roles

Client roles are namespaces dedicated to clients. Each client gets its own namespace. Client roles are managed under the Roles tab for each client. You interact with this UI the same way you do for realm-level roles.

Converting a role to a composite role

Any realm or client level role can become a composite role. A composite role is a role that has one or more additional roles associated with it. When a composite role is mapped to a user, the user gains the roles associated with the composite role. This inheritance is recursive so users also inherit any composite of composites. However, we recommend that composite roles are not overused.

Procedure
  1. Click Realm Roles in the menu.

  2. Click the role that you want to convert.

  3. From the Action list, select Add associated roles.

Composite role

Composite role

The role selection UI is displayed on the page and you can associate realm level and client level roles to the composite role you are creating.

In this example, the employee realm-level role is associated with the developer composite role. Any user with the developer role also inherits the employee role.

When creating tokens and SAML assertions, any composite also has its associated roles added to the claims and assertions of the authentication response sent back to the client.

Assigning role mappings

You can assign role mappings to a user through the Role Mappings tab for that user.

Procedure
  1. Click Users in the menu.

  2. Click the user that you want to perform a role mapping on.

  3. Click the Role mappings tab.

  4. Click Assign role.

  5. Select the role you want to assign to the user from the dialog.

  6. Click Assign.

Role mappings

Role mappings

In the preceding example, we are assigning the composite role developer to a user. That role was created in the Composite Roles topic.

Effective role mappings

Effective role mappings

When the developer role is assigned, the employee role associated with the developer composite is displayed with Inherited "True". Inherited roles are the roles explicitly assigned to users and roles that are inherited from composites.

Using default roles

Use default roles to automatically assign user role mappings when a user is created or imported through Identity Brokering.

Procedure
  1. Click Realm settings in the menu.

  2. Click the User registration tab.

    Default roles

    Default roles

This screenshot shows that some default roles already exist.

Role scope mappings

On creation of an OIDC access token or SAML assertion, the user role mappings become claims within the token or assertion. Applications use these claims to make access decisions on the resources controlled by the application. Keycloak digitally signs access tokens and applications reuse them to invoke remotely secured REST services. However, these tokens have an associated risk. An attacker can obtain these tokens and use their permissions to compromise your networks. To prevent this situation, use Role Scope Mappings.

Role Scope Mappings limit the roles declared inside an access token. When a client requests a user authentication, the access token they receive contains only the role mappings that are explicitly specified for the client’s scope. The result is that you limit the permissions of each individual access token instead of giving the client access to all the users permissions.

By default, each client gets all the role mappings of the user. You can view the role mappings for a client.

Procedure
  1. Click Clients in the menu.

  2. Click the client to go to the details.

  3. Click the Client scopes tab.

  4. Click the link in the row with Dedicated scope and mappers for this client

  5. Click the Scope tab.

Full scope

Full scope

By default, the effective roles of scopes are every declared role in the realm. To change this default behavior, toggle Full Scope Allowed to OFF and declare the specific roles you want in each client. You can also use client scopes to define the same role scope mappings for a set of clients.

Partial scope

Partial scope

Groups

Groups in Keycloak manage a common set of attributes and role mappings for each user. Users can be members of any number of groups and inherit the attributes and role mappings assigned to each group.

To manage groups, click Groups in the menu.

Groups

groups

Groups are hierarchical. A group can have multiple subgroups but a group can have only one parent. Subgroups inherit the attributes and role mappings from their parent. Users inherit the attributes and role mappings from their parent as well.

If you have a parent group and a child group, and a user that belongs only to the child group, the user in the child group inherits the attributes and role mappings of both the parent group and the child group.

The hierarchy of a group is sometimes represented using the group path. The path is the complete list of names that represents the hierarchy of a specific group, from top to bottom and separated by slashes / (similar to files in a File System). For example a path can be /top/level1/level2 which means that top is a top level group and is parent of level1, which in turn is parent of level2. This path represents unambiguously the hierarchy for the group level2.

Because of historical reasons Keycloak, does not escape slashes in the group name itself. Therefore a group named level1/group under top uses the path /top/level1/group, which is misleading. Keycloak can be started with the option --spi-group-jpa-escape-slashes-in-group-path to true and then the slashes in the name are escaped with the character ~. The escape char marks that the slash is part of the name and has no hierarchical meaning. The previous path example would be /top/level1~/group when escaped.

bin/kc.[sh|bat] start --spi-group-jpa-escape-slashes-in-group-path=true

The following example includes a top-level Sales group and a child North America subgroup.

To add a group:

  1. Click the group.

  2. Click Create group.

  3. Enter a group name.

  4. Click Create.

  5. Click the group name.

    The group management page is displayed.

    Group

    group

Attributes and role mappings you define are inherited by the groups and users that are members of the group.

To add a user to a group:

  1. Click Users in the menu.

  2. Click the user that you want to perform a role mapping on. If the user is not displayed, click View all users.

  3. Click Groups.

    User groups

    user groups

  4. Click Join Group.

  5. Select a group from the dialog.

  6. Select a group from the Available Groups tree.

  7. Click Join.

To remove a group from a user:

  1. Click Users in the menu.

  2. Click the user to be removed from the group.

  3. Click Leave on the group table row.

In this example, the user jimlincoln is in the North America group. You can see jimlincoln displayed under the Members tab for the group.

Group membership

group membership

Groups compared to roles

Groups and roles have some similarities and differences. In Keycloak, groups are a collection of users to which you apply roles and attributes. Roles define types of users, and applications assign permissions and access control to roles.

Composite Roles are similar to Groups as they provide the same functionality. The difference between them is conceptual. Composite roles apply the permission model to a set of services and applications. Use composite roles to manage applications and services.

Groups focus on collections of users and their roles in an organization. Use groups to manage users.

Using default groups

To automatically assign group membership to any users who is created or who is imported through Identity Brokering, you use default groups.

  1. Click Realm settings in the menu.

  2. Click the User registration tab.

  3. Click the Default Groups tab.

    Default groups

    Default groups

This screenshot shows that some default groups already exist.

Configuring authentication

This chapter covers several authentication topics. These topics include:

  • Enforcing strict password and One Time Password (OTP) policies.

  • Managing different credential types.

  • Logging in with Kerberos.

  • Disabling and enabling built-in credential types.

Password policies

When Keycloak creates a realm, it does not associate password policies with the realm. You can set a simple password with no restrictions on its length, security, or complexity. Simple passwords are unacceptable in production environments. Keycloak has a set of password policies available through the Admin Console.

Procedure
  1. Click Authentication in the menu.

  2. Click the Policies tab.

  3. Select the policy to add in the Add policy drop-down box.

  4. Enter a value that applies to the policy chosen.

  5. Click Save.

    Password policy Password Policy

After saving the policy, Keycloak enforces the policy for new users.

The new policy will not be effective for existing users. Therefore, make sure that you set the password policy from the beginning of the realm creation or add "Update password" to existing users or use "Expire password" to make sure that users update their passwords in next "N" days, which will actually adjust to new password policies.

Password policy types

HashAlgorithm

Passwords are not stored in cleartext. Before storage or validation, Keycloak hashes passwords using standard hashing algorithms.

Supported password hashing algorithms include:

  • argon2:: Argon2 (default for non-FIPS deployments)

  • pbkdf2-sha512:: PBKDF2 with SHA512 (default for FIPS deployments)

  • pbkdf2-sha256:: PBKDF2 with SHA256

  • pbkdf2:: PBKDF2 with SHA1 (deprecated)

It is highly recommended to use Argon2 when possible as it has significantly less CPU requirements compared to PBKDF2, while at the same time being more secure.

The default password hashing algorithm for the server can be configured with --spi-password-hashing-provider-default=<algorithm>.

To prevent excessive memory and CPU usage, the parallel computation of hashes by Argon2 is by default limited to the number of cores available to the JVM. To configure the Argon2 hashing provider, use its provider options.

See the Server Developer Guide on how to add your own hashing algorithm.

If you change the hashing algorithm, password hashes in storage will not change until the user logs in.

Hashing iterations

Specifies the number of times Keycloak hashes passwords before storage or verification. The default value is -1, which uses the default hashing intervals for the selected hashing algorithm:

  • argon2:: 5

  • pbkdf2-sha512:: 210,000

  • pbkdf2-sha256:: 600,000

  • pbkdf2:: 1,300,000

In most cases the hashing iterations should not be changed from the recommended default values. Lower values for iterations provide insufficient security, while higher values result in higher CPU power requirements.

Digits

The number of numerical digits required in the password string.

Lowercase characters

The number of lower case letters required in the password string.

Uppercase characters

The number of upper case letters required in the password string.

Special characters

The number of special characters required in the password string.

Not username

The password cannot be the same as the username.

Not email

The password cannot be the same as the email address of the user.

Regular expression

Password must match one or more defined Java regular expression patterns. See Java’s regular expression documentation for the syntax of those expressions.

Expire password

The number of days the password is valid. When the number of days has expired, the user must change their password.

Not recently used

Password cannot be already used by the user. Keycloak stores a history of used passwords. The number of old passwords stored is configurable in Keycloak.

Not recently used (In Days)

Password cannot be reused within the configured time period (in days). If the new password was last set within this period, the user will be forced to provide a different one.

Password blacklist

Password must not be in a blacklist file.

  • Blacklist files are UTF-8 plain-text files with Unix line endings. Every line represents a blacklisted password.

  • Keycloak compares passwords in a case-insensitive manner.

  • The value of the blacklist file must be the name of the blacklist file, for example, 100k_passwords.txt.

  • Blacklist files resolve against ${kc.home.dir}/data/password-blacklists/ by default. Customize this path using:

    • The keycloak.password.blacklists.path system property.

    • The blacklistsPath property of the passwordBlacklist policy SPI configuration. To configure the blacklist folder using the CLI, use --spi-password-policy-password-blacklist-blacklists-path=/path/to/blacklistsFolder.

A note about False Positives

The current implementation uses a BloomFilter for fast and memory efficient containment checks, such as whether a given password is contained in a blacklist, with the possibility for false positives.

  • By default a false positive probability of 0.01% is used.

  • To change the false positive probability by CLI configuration, use --spi-password-policy-password-blacklist-false-positive-probability=0.00001.

Maximum Authentication Age

Specifies the maximum age of a user authentication in seconds with which the user can update a password without re-authentication. A value of 0 indicates that the user has to always re-authenticate with their current password before they can update the password. See AIA section for some additional details about this policy.

The Maximum Authentication Age is configurable also when configuring the required action Update Password in the Required Actions tab in the Admin Console. The better choice is to use the required action for the configuration because the Maximum Authentication Age password policy might be deprecated/removed in the future.

One Time Password (OTP) policies

Keycloak has several policies for setting up a FreeOTP or Google Authenticator One-Time Password generator.

Procedure
  1. Click Authentication in the menu.

  2. Click the Policy tab.

  3. Click the OTP Policy tab.

Otp Policy

OTP Policy

Keycloak generates a QR code on the OTP set-up page, based on information configured in the OTP Policy tab. FreeOTP and Google Authenticator scan the QR code when configuring OTP.

Time-based or counter-based one time passwords

The algorithms available in Keycloak for your OTP generators are time-based and counter-based.

With Time-Based One Time Passwords (TOTP), the token generator will hash the current time and a shared secret. The server validates the OTP by comparing the hashes within a window of time to the submitted value. TOTPs are valid for a short window of time.

With Counter-Based One Time Passwords (HOTP), Keycloak uses a shared counter rather than the current time. The Keycloak server increments the counter with each successful OTP login. Valid OTPs change after a successful login.

TOTP is more secure than HOTP because the matchable OTP is valid for a short window of time, while the OTP for HOTP is valid for an indeterminate amount of time. HOTP is more user-friendly than TOTP because no time limit exists to enter the OTP.

HOTP requires a database update every time the server increments the counter. This update is a performance drain on the authentication server during heavy load. To increase efficiency, TOTP does not remember passwords used, so there is no need to perform database updates. The drawback is that it is possible to reuse TOTPs in the valid time interval.

TOTP configuration options

OTP hash algorithm

The default algorithm is SHA1. The other, more secure options are SHA256 and SHA512.

Number of digits

The length of the OTP. Short OTP’s are user-friendly, easier to type, and easier to remember. Longer OTP’s are more secure than shorter OTP’s.

Look around window

The number of intervals the server attempts to match the hash. This option is present in Keycloak if the clock of the TOTP generator or authentication server becomes out-of-sync. The default value of 1 is adequate. For example, if the time interval for a token is 30 seconds, the default value of 1 means it will accept valid tokens in the 90-second window (time interval 30 seconds + look ahead 30 seconds + look behind 30 seconds). Every increment of this value increases the valid window by 60 seconds (look ahead 30 seconds + look behind 30 seconds).

OTP token period

The time interval in seconds the server matches a hash. Each time the interval passes, the token generator generates a TOTP.

Reusable code

Determine whether OTP tokens can be reused in the authentication process or user needs to wait for the next token. Users cannot reuse those tokens by default, and the administrator needs to explicitly specify that those tokens can be reused.

HOTP configuration options

OTP hash algorithm

The default algorithm is SHA1. The other, more secure options are SHA256 and SHA512.

Number of digits

The length of the OTP. Short OTPs are user-friendly, easier to type, and easier to remember. Longer OTPs are more secure than shorter OTPs.

Look around window

The number of previous and following intervals the server attempts to match the hash. This option is present in Keycloak if the clock of the TOTP generator or authentication server become out-of-sync. The default value of 1 is adequate. This option is present in Keycloak to cover when the user’s counter gets ahead of the server.

Initial counter

The value of the initial counter.

Authentication flows

An authentication flow is a container of authentications, screens, and actions, during log in, registration, and other Keycloak workflows.

Built-in flows

Keycloak has several built-in flows. You cannot modify these flows, but you can alter the flow’s requirements to suit your needs.

Procedure
  1. Click Authentication in the menu.

  2. Click on the Browser item in the list to see the details.

Browser flow

Browser Flow

Auth type

The name of the authentication or the action to execute. If an authentication is indented, it is in a sub-flow. It may or may not be executed, depending on the behavior of its parent.

  1. Cookie

    The first time a user logs in successfully, Keycloak sets a session cookie. If the cookie is already set, this authentication type is successful. Since the cookie provider returned success and each execution at this level of the flow is alternative, Keycloak does not perform any other execution. This results in a successful login.

  2. Kerberos

    This authenticator is disabled by default and is skipped during the Browser Flow.

  3. Identity Provider Redirector

    This action is configured through the Actions > Config link. It redirects to another IdP for identity brokering.

  4. Forms

    Since this sub-flow is marked as alternative, it will not be executed if the Cookie authentication type passed. This sub-flow contains an additional authentication type that needs to be executed. Keycloak loads the executions for this sub-flow and processes them.

The first execution is the Username Password Form, an authentication type that renders the username and password page. It is marked as required, so the user must enter a valid username and password.

The second execution is the Browser - Conditional OTP sub-flow. This sub-flow is conditional and executes depending on the result of the Condition - User Configured execution. If the result is true, Keycloak loads the executions for this sub-flow and processes them.

The next execution is the Condition - User Configured authentication. This authentication checks if Keycloak has configured other executions in the flow for the user. The Browser - Conditional OTP sub-flow executes only when the user has a configured OTP credential.

The final execution is the OTP Form. Keycloak marks this execution as required but it runs only when the user has an OTP credential set up because of the setup in the conditional sub-flow. If not, the user does not see an OTP form.

Requirement

A set of radio buttons that control the execution of an action executes.

Required

All Required elements in the flow must be successfully sequentially executed. The flow terminates if a required element fails.

Alternative

Only a single element must successfully execute for the flow to evaluate as successful. Because the Required flow elements are sufficient to mark a flow as successful, any Alternative flow element within a flow containing Required flow elements will not execute.

Disabled

The element does not count to mark a flow as successful.

Conditional

This requirement type is only set on sub-flows.

  • A Conditional sub-flow contains executions. These executions must evaluate to logical statements.

  • If all executions evaluate as true, the Conditional sub-flow acts as Required.

  • If any executions evaluate as false, the Conditional sub-flow acts as Disabled.

  • If you do not set an execution, the Conditional sub-flow acts as Disabled.

  • If a flow contains executions and the flow is not set to Conditional, Keycloak does not evaluate the executions, and the executions are considered functionally Disabled.

Creating flows

Important functionality and security considerations apply when you design a flow.

To create a flow, perform the following:

Procedure
  1. Click Authentication in the menu.

  2. Click Create flow.

You can copy and then modify an existing flow. Click the "Action list" (the three dots at the end of the row), click Duplicate, and enter a name for the new flow.

When creating a new flow, you must create a top-level flow first with the following options:

Name

The name of the flow.

Description

The description you can set to the flow.

Top-Level Flow Type

The type of flow. The type client is used only for the authentication of clients (applications). For all other cases, choose basic.

Create a top-level flow

Top Level Flow

When Keycloak has created the flow, Keycloak displays the Add step, and Add sub-flow buttons.

An empty new flow

New Flow

Three factors determine the behavior of flows and sub-flows.

  • The structure of the flow and sub-flows.

  • The executions within the flows

  • The requirements set within the sub-flows and the executions.

Executions have a wide variety of actions, from sending a reset email to validating an OTP. Add executions with the Add step button.

Adding an authentication execution

Adding an Authentication Execution

Authentication executions can optionally have a reference value configured. This can be utilized by the Authentication Method Reference (AMR) protocol mapper to populate the amr claim in OIDC access and ID tokens (for more information on the AMR claim, see RFC-8176). When the Authentication Method Reference (AMR) protocol mapper is configured for a client, it will populate the amr claim with the reference value for any authenticator execution the user successfully completes during the authentication flow.

Adding an authenticator reference value

Configuring an Authenticator Reference Value

Two types of executions exist, automatic executions and interactive executions. Automatic executions are similar to the Cookie execution and will automatically perform their action in the flow. Interactive executions halt the flow to get input. Executions executing successfully set their status to success. For a flow to complete, it needs at least one execution with a status of success.

You can add sub-flows to top-level flows with the Add sub-flow button. The Add sub-flow button displays the Create Execution Flow page. This page is similar to the Create Top Level Form page. The difference is that the Flow Type can be basic (default) or form. The form type constructs a sub-flow that generates a form for the user, similar to the built-in Registration flow. Sub-flows success depends on how their executions evaluate, including their contained sub-flows. See the execution requirements section for an in-depth explanation of how sub-flows work.

After adding an execution, check the requirement has the correct value.

All elements in a flow have a Delete option next to the element. Some executions have a ⚙️ menu item (the gear icon) to configure the execution. It is also possible to add executions and sub-flows to sub-flows with the Add step and Add sub-flow links.

Since the order of execution is important, you can move executions and sub-flows up and down by dragging their names.

Make sure to properly test your configuration when you configure the authentication flow to confirm that no security holes exist in your setup. We recommend that you test various corner cases. For example, consider testing the authentication behavior for a user when you remove various credentials from the user’s account before authentication.

As an example, when 2nd-factor authenticators, such as OTP Form or WebAuthn Authenticator, are configured in the flow as REQUIRED and the user does not have credential of particular type, the user will be able to set up the particular credential during authentication itself. This situation means that the user does not authenticate with this credential as he set up it right during the authentication. So for browser authentication, make sure to configure your authentication flow with some 1st-factor credentials such as Password or WebAuthn Passwordless Authenticator.

Creating a password-less browser login flow

To illustrate the creation of flows, this section describes creating an advanced browser login flow. The purpose of this flow is to allow a user a choice between logging in using a password-less manner with WebAuthn, or two-factor authentication with a password and OTP.

Procedure
  1. Click Authentication in the menu.

  2. Click the Flows tab.

  3. Click Create flow.

  4. Enter Browser Password-less as a name.

  5. Click Create.

  6. Click Add execution.

  7. Select Cookie from the list.

  8. Click Add.

  9. Select Alternative for the Cookie authentication type to set its requirement to alternative.

  10. Click Add step.

  11. Select Kerberos from the list.

  12. Click Add.

  13. Click Add step.

  14. Select Identity Provider Redirector from the list.

  15. Click Add.

  16. Select Alternative for the Identity Provider Redirector authentication type to set its requirement to alternative.

  17. Click Add sub-flow.

  18. Enter Forms as a name.

  19. Click Add.

  20. Select Alternative for the Forms authentication type to set its requirement to alternative.

    The common part with the browser flow

    Passwordless browser login

  21. Click + menu of the Forms execution.

  22. Select Add step.

  23. Select Username Form from the list.

  24. Click Add.

At this stage, the form requires a username but no password. We must enable password authentication to avoid security risks.

  1. Click + menu of the Forms sub-flow.

  2. Click Add sub-flow.

  3. Enter Authentication as name.

  4. Click Add.

  5. Select Required for the Authentication authentication type to set its requirement to required.

  6. Click + menu of the Authentication sub-flow.

  7. Click Add step.

  8. Select WebAuthn Passwordless Authenticator from the list.

  9. Click Add.

  10. Select Alternative for the Webauthn Passwordless Authenticator authentication type to set its requirement to alternative.

  11. Click + menu of the Authentication sub-flow.

  12. Click Add sub-flow.

  13. Enter Password with OTP as name.

  14. Click Add.

  15. Select Alternative for the Password with OTP authentication type to set its requirement to alternative.

  16. Click + menu of the Password with OTP sub-flow.

  17. Click Add step.

  18. Select Password Form from the list.

  19. Click Add.

  20. Select Required for the Password Form authentication type to set its requirement to required.

  21. Click + menu of the Password with OTP sub-flow.

  22. Click Add step.

  23. Select OTP Form from the list.

  24. Click Add.

  25. Click Required for the OTP Form authentication type to set its requirement to required.

Finally, change the bindings.

  1. Click the Action menu at the top of the screen.

  2. Select Bind flow from the menu.

  3. Click the Browser Flow drop-down list.

  4. Click Save.

A password-less browser login

Passwordless browser login

After entering the username, the flow works as follows:

If users have WebAuthn passwordless credentials recorded, they can use these credentials to log in directly. This is the password-less login. The user can also select Password with OTP because the WebAuthn Passwordless execution and the Password with OTP flow are set to Alternative. If they are set to Required, the user has to enter WebAuthn, password, and OTP.

If the user selects the Try another way link with WebAuthn passwordless authentication, the user can choose between Password and Passkey (WebAuthn passwordless). When selecting the password, the user will need to continue and log in with the assigned OTP. If the user has no WebAuthn credentials, the user must enter the password and then the OTP. If the user has no OTP credential, they will be asked to record one.

Since the WebAuthn Passwordless execution is set to Alternative rather than Required, this flow will never ask the user to register a WebAuthn credential. For a user to have a Webauthn credential, an administrator must add a required action to the user. Do this by:

  1. Enabling the Webauthn Register Passwordless required action in the realm (see the WebAuthn documentation).

  2. Setting the required action using the Credential Reset part of a user’s Credentials management menu.

Creating an advanced flow such as this can have side effects. For example, if you enable the ability to reset the password for users, this would be accessible from the password form. In the default Reset Credentials flow, users must enter their username. Since the user has already entered a username earlier in the Browser Password-less flow, this action is unnecessary for Keycloak and suboptimal for user experience. To correct this problem, you can:

  • Duplicate the Reset Credentials flow. Set its name to Reset Credentials for password-less, for example.

  • Click Delete (trash icon) of the Choose user step.

  • In the Action menu, select Bind flow and select Reset credentials flow from the dropdown and click Save

Creating a browser login flow with step-up mechanism

This section describes how to create advanced browser login flow using the step-up mechanism. The purpose of step-up authentication is to allow access to clients or resources based on a specific authentication level of a user.

Procedure
  1. Click Authentication in the menu.

  2. Click the Flows tab.

  3. Click Create flow.

  4. Enter Browser Incl Step up Mechanism as a name.

  5. Click Save.

  6. Click Add execution.

  7. Select Cookie from the list.

  8. Click Add.

  9. Select Alternative for the Cookie authentication type to set its requirement to alternative.

  10. Click Add sub-flow.

  11. Enter Auth Flow as a name.

  12. Click Add.

  13. Click Alternative for the Auth Flow authentication type to set its requirement to alternative.

Now you configure the flow for the first authentication level.

  1. Click + menu of the Auth Flow.

  2. Click Add sub-flow.

  3. Enter 1st Condition Flow as a name.

  4. Click Add.

  5. Click Conditional for the 1st Condition Flow authentication type to set its requirement to conditional.

  6. Click + menu of the 1st Condition Flow.

  7. Click Add condition.

  8. Select Conditional - Level Of Authentication from the list.

  9. Click Add.

  10. Click Required for the Conditional - Level Of Authentication authentication type to set its requirement to required.

  11. Click ⚙️ (gear icon).

  12. Enter Level 1 as an alias.

  13. Enter 1 for the Level of Authentication (LoA).

  14. Set Max Age to 36000. This value is in seconds and it is equivalent to 10 hours, which is the default SSO Session Max timeout set in the realm. As a result, when a user authenticates with this level, subsequent SSO logins can reuse this level and the user does not need to authenticate with this level until the end of the user session, which is 10 hours by default.

  15. Click Save

    Configure the condition for the first authentication level

    Authentication step up condition 1

  16. Click + menu of the 1st Condition Flow.

  17. Click Add step.

  18. Select Username Password Form from the list.

  19. Click Add.

Now you configure the flow for the second authentication level.

  1. Click + menu of the Auth Flow.

  2. Click Add sub-flow.

  3. Enter 2nd Condition Flow as an alias.

  4. Click Add.

  5. Click Conditional for the 2nd Condition Flow authentication type to set its requirement to conditional.

  6. Click + menu of the 2nd Condition Flow.

  7. Click Add condition.

  8. Select Conditional - Level Of Authentication from the item list.

  9. Click Add.

  10. Click Required for the Conditional - Level Of Authentication authentication type to set its requirement to required.

  11. Click ⚙️ (gear icon).

  12. Enter Level 2 as an alias.

  13. Enter 2 for the Level of Authentication (LoA).

  14. Set Max Age to 0. As a result, when a user authenticates, this level is valid just for the current authentication, but not any subsequent SSO authentications. So the user will always need to authenticate again with this level when this level is requested.

  15. Click Save

    Configure the condition for the second authentication level

    Autehtnication step up condition 2

  16. Click + menu of the 2nd Condition Flow.

  17. Click Add step.

  18. Select OTP Form from the list.

  19. Click Add.

  20. Click Required for the OTP Form authentication type to set its requirement to required.

Finally, change the bindings.

  1. Click the Action menu at the top of the screen.

  2. Select Bind flow from the list.

  3. Select Browser Flow in the dropdown.

  4. Click Save.

Browser login with step-up mechanism

Authentication step up flow

Request a certain authentication level

To use the step-up mechanism, you specify a requested level of authentication (LoA) in your authentication request. The claims parameter is used for this purpose:

https://{DOMAIN}/realms/{REALMNAME}/protocol/openid-connect/auth?client_id={CLIENT-ID}&redirect_uri={REDIRECT-URI}&scope=openid&response_type=code&response_mode=query&nonce=exg16fxdjcu&claims=%7B%22id_token%22%3A%7B%22acr%22%3A%7B%22essential%22%3Atrue%2C%22values%22%3A%5B%22gold%22%5D%7D%7D%7D

The claims parameter is specified in a JSON representation:

claims= {
            "id_token": {
                "acr": {
                    "essential": true,
                    "values": ["gold"]
                }
            }
        }

The Keycloak javascript adapter has support for easy construct of this JSON and sending it in the login request. See Keycloak JavaScript adapter in the securing apps section for more details.

You can also use simpler parameter acr_values instead of claims parameter to request particular levels as non-essential. This is mentioned in the OIDC specification.

You can also configure the default level for the particular client, which is used when the parameter acr_values or the parameter claims with the acr claim is not present. For further details, see Client ACR configuration).

To request the acr_values as text (such as gold) instead of a numeric value, you configure the mapping between the ACR and the LoA. It is possible to configure it at the realm level (recommended) or at the client level. For configuration see ACR to LoA Mapping.

For more details see the official OIDC specification.

Flow logic

The logic for the previous configured authentication flow is as follows:
If a client request a high authentication level, meaning Level of Authentication 2 (LoA 2), a user has to perform full 2-factor authentication: Username/Password + OTP. However, if a user already has a session in Keycloak, that was logged in with username and password (LoA 1), the user is only asked for the second authentication factor (OTP).

The option Max Age in the condition determines how long (how much seconds) the subsequent authentication level is valid. This setting helps to decide whether the user will be asked to present the authentication factor again during a subsequent authentication. If the particular level X is requested by the claims or acr_values parameter and user already authenticated with level X, but it is expired (for example max age is configured to 300 and user authenticated before 310 seconds) then the user will be asked to re-authenticate again with the particular level. However if the level is not yet expired, the user will be automatically considered as authenticated with that level.

Using Max Age with the value 0 means, that particular level is valid just for this single authentication. Hence every re-authentication requesting that level will need to authenticate again with that level. This is useful for operations that require higher security in the application (e.g. send payment) and always require authentication with the specific level.

Note that parameters such as claims or acr_values might be changed by the user in the URL when the login request is sent from the client to the Keycloak via the user’s browser. This situation can be mitigated if client uses PAR (Pushed authorization request), a request object, or other mechanisms that prevents the user from rewrite the parameters in the URL. Hence after the authentication, clients are encouraged to check the ID Token to double-check that acr in the token corresponds to the expected level.

If no explicit level is requested by parameters, the Keycloak will require the authentication with the first LoA condition found in the authentication flow, such as the Username/Password in the preceding example. When a user was already authenticated with that level and that level expired, the user is not required to re-authenticate, but acr in the token will have the value 0. This result is considered as authentication based solely on long-lived browser cookie as mentioned in the section 2 of OIDC Core 1.0 specification.

During the first authentication of the user, the first configured subflow with the Conditional - Level Of Authentication is always executed (regardless of the requested level) as the user does not yet have any level. Therefore, we recommend that the first level subflow contains the minimal required authenticators for user authentication. In addition, ensure that the subflows with different values of Conditional - Level Of Authentication are ordered starting with the lowest as shown in the example above. For example, if you configure a subflow with level 2 and then add another subflow with level 1, the level 2 subflow will be always asked during the first authentication, which may not be the desired behavior.
A conflict situation may arise when an admin specifies several flows, sets different LoA levels to each, and assigns the flows to different clients. However, the rule is always the same: if a user has a certain level, it needs only have that level to connect to a client. It’s up to the admin to make sure that the LoA is coherent.

Example scenario

  1. Max Age is configured as 300 seconds for level 1 condition.

  2. Login request is sent without requesting any acr. Level 1 will be used and the user needs to authenticate with username and password. The token will have acr=1.

  3. Another login request is sent after 100 seconds. The user is automatically authenticated due to the SSO and the token will return acr=1.

  4. Another login request is sent after another 201 seconds (301 seconds since authentication in point 2). The user is automatically authenticated due to the SSO, but the token will return acr=0 due the level 1 is considered expired.

  5. Another login request is sent, but now it will explicitly request ACR of level 1 in the claims parameter. User will be asked to re-authenticate with username/password and then acr=1 will be returned in the token.

ACR claim in the token

ACR claim is added to the token by the acr loa level protocol mapper defined in the acr client scope. This client scope is the realm default client scope and hence will be added to all newly created clients in the realm.

In case you do not want acr claim inside tokens or you need some custom logic for adding it, you can remove the client scope from your client.

Note when the login request initiates a request with the claims parameter requesting acr as essential claim, then Keycloak will always return one of the specified levels. If it is not able to return one of the specified levels (For example if the requested level is unknown or bigger than configured conditions in the authentication flow), then Keycloak will throw an error.

Registration or Reset credentials requested by client

Usually when the user is redirected to the Keycloak from client application, the browser flow is triggered. This flow may allow the user to register in case that realm registration is enabled and the user clicks Register on the login screen. Also, if Forget password is enabled for the realm, the user can click Forget password on the login screen, which triggers the Reset credentials flow where users can reset credentials after email address confirmation.

Sometimes it can be useful for the client application to directly redirect the user to the Registration screen or to the Reset credentials flow. The resulting action will match the action of when the user clicks Register or Forget password on the normal login screen. Automatic redirect to the registration or reset-credentials screen can be done as follows:

  • When the client wants the user to be redirected directly to the registration, the OIDC client should replace the very last snippet from the OIDC login URL path (/auth) with /registrations . So the full URL might be similar to the following: https://keycloak.example.com/realms/your_realm/protocol/openid-connect/registrations.

  • When the client wants a user to be redirected directly to the Reset credentials flow, the OIDC client should replace the very last snippet from the OIDC login URL path (/auth) with /forgot-credentials .

The preceding steps are the only supported method for a client to directly request a registration or reset-credentials flow. For security purposes, it is not supported and recommended for client applications to bypass OIDC/SAML flows and directly redirect to other Keycloak endpoints (such as for instance endpoints under /realms/realm_name/login-actions or /realms/realm_name/broker).

User session limits

Limits on the number of session that a user can have can be configured. Sessions can be limited per realm or per client.

To add session limits to a flow, perform the following steps.

  1. Click Add step for the flow.

  2. Select User session count limiter from the item list.

  3. Click Add.

  4. Click Required for the User Session Count Limiter authentication type to set its requirement to required.

  5. Click ⚙️ (gear icon) for the User Session Count Limiter.

  6. Enter an alias for this config.

  7. Enter the required maximum number of sessions that a user can have in this realm. For example, if 2 is the value, 2 SSO sessions is the maximum that each user can have in this realm. If 0 is the value, this check is disabled.

  8. Enter the required maximum number of sessions a user can have for the client. For example, if 2 is the value, then 2 SSO sessions is the maximum in this realm for each client. So when a user is trying to authenticate to client foo, but that user has already authenticated in 2 SSO sessions to client foo, either the authentication will be denied or an existing sessions will be killed based on the behavior configured. If a value of 0 is used, this check is disabled. If both session limits and client session limits are enabled, it makes sense to have client session limits to be always lower than session limits. The limit per client can never exceed the limit of all SSO sessions of this user.

  9. Select the behavior that is required when the user tries to create a session after the limit is reached. Available behaviors are:

    • Deny new session - when a new session is requested and the session limit is reached, no new sessions can be created.

    • Terminate oldest session - when a new session is requested and the session limit has been reached, the oldest session will be removed and the new session created.

  10. Optionally, add a custom error message to be displayed when the limit is reached.

Note that the user session limits should be added to your bound Browser flow, Direct grant flow, Reset credentials and also to any Post broker login flow. The authenticator should be added at the point when the user is already known during authentication (usually at the end of the authentication flow) and should be typically REQUIRED. Note that it is not possible to have ALTERNATIVE and REQUIRED executions at the same level.

For most of authenticators like Direct grant flow, Reset credentials or Post broker login flow, it is recommended to add the authenticator as REQUIRED at the end of the authentication flow. Here is an example for the Reset credentials flow:

Authentication User Session Limits Reset Credentials Flow

For Browser flow, consider not adding the Session Limits authenticator at the top level flow. This recommendation is due to the Cookie authenticator, which automatically re-authenticates users based on SSO cookie. It is at the top level and it is better to not check session limits during SSO re-authentication because a user session already exists. So instead, consider adding a separate ALTERNATIVE subflow, such as the following authenticate-user-with-session-limit example at the same level like Cookie. Then you can add a REQUIRED subflow, in the following real-authentication-subflow`example, as a nested subflow of `authenticate-user-with-session-limit and add a User Session Limit at the same level as well. Inside the real-authentication-subflow, you can add real authenticators in a similar fashion to the default browser flow. The following example flow allows to users to authenticate with an identity provider or with password and OTP:

Authentication User Session Limits Browser Flow

Regarding Post Broker login flow, you can add the User Session Limits as the only authenticator in the authentication flow as long as you have no other authenticators that you trigger after authentication with your identity provider. However, make sure that this flow is configured as Post Broker Flow at your identity providers. This requirement exists needed so that the authentication with Identity providers also participates in the session limits.

Currently, the administrator is responsible for maintaining consistency between the different configurations. So make sure that all your flows use same the configuration of User Session Limits.
User session limit feature is not available for CIBA.

Script Authenticator

Ability to upload scripts through the Admin Console and REST endpoints is deprecated.

For more details see JavaScript Providers.

Kerberos

Keycloak supports login with a Kerberos ticket through the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) protocol. SPNEGO authenticates transparently through the web browser after the user authenticates the session. For non-web cases, or when a ticket is not available during login, Keycloak supports login with Kerberos username and password.

A typical use case for web authentication is the following:

  1. The user logs into the desktop.

  2. The user accesses a web application secured by Keycloak using a browser.

  3. The application redirects to Keycloak login.

  4. Keycloak renders the HTML login screen with status 401 and HTTP header WWW-Authenticate: Negotiate

  5. If the browser has a Kerberos ticket from desktop login, the browser transfers the desktop sign-on information to Keycloak in header Authorization: Negotiate 'spnego-token'. Otherwise, it displays the standard login screen, and the user enters the login credentials.

  6. Keycloak validates the token from the browser and authenticates the user.

  7. If using LDAPFederationProvider with Kerberos authentication support, Keycloak provisions user data from LDAP. If using KerberosFederationProvider, Keycloak lets the user update the profile and pre-fill login data.

  8. Keycloak returns to the application. Keycloak and the application communicate through OpenID Connect or SAML messages. Keycloak acts as a broker to Kerberos/SPNEGO login. Therefore Keycloak authenticating through Kerberos is hidden from the application.

The Negotiate www-authenticate scheme allows NTLM as a fallback to Kerberos and on some web browsers in Windows NTLM is supported by default. If a www-authenticate challenge comes from a server outside a browsers permitted list, users may encounter an NTLM dialog prompt. A user would need to click the cancel button on the dialog to continue as Keycloak does not support this mechanism. This situation can happen if Intranet web browsers are not strictly configured or if Keycloak serves users in both the Intranet and Internet. A custom authenticator can be used to restrict Negotiate challenges to a whitelist of hosts.

Perform the following steps to set up Kerberos authentication:

  1. The setup and configuration of the Kerberos server (KDC).

  2. The setup and configuration of the Keycloak server.

  3. The setup and configuration of the client machines.

Setup of Kerberos server

The steps to set up a Kerberos server depends on the operating system (OS) and the Kerberos vendor. Consult Windows Active Directory, MIT Kerberos, and your OS documentation for instructions on setting up and configuring a Kerberos server.

During setup, perform these steps:

  1. Add some user principals to your Kerberos database. You can also integrate your Kerberos with LDAP, so user accounts provision from the LDAP server.

  2. Add service principal for "HTTP" service. For example, if the Keycloak server runs on www.mydomain.org, add the service principal HTTP/www.mydomain.org@<kerberos realm>.

    On MIT Kerberos, you run a "kadmin" session. On a machine with MIT Kerberos, you can use the command:

sudo kadmin.local

Then, add HTTP principal and export its key to a keytab file with commands such as:

addprinc -randkey HTTP/www.mydomain.org@MYDOMAIN.ORG
ktadd -k /tmp/http.keytab HTTP/www.mydomain.org@MYDOMAIN.ORG

Ensure the keytab file /tmp/http.keytab is accessible on the host where Keycloak is running.

Setup and configuration of Keycloak server

Install a Kerberos client on your machine.

Procedure
  1. Install a Kerberos client. If your machine runs Fedora, Ubuntu, or RHEL, install the freeipa-client package, containing a Kerberos client and other utilities.

  2. Configure the Kerberos client (on Linux, the configuration settings are in the /etc/krb5.conf file ).

    Add your Kerberos realm to the configuration and configure the HTTP domains your server runs on.

    For example, for the MYDOMAIN.ORG realm, you can configure the domain_realm section like this:

    [domain_realm]
      .mydomain.org = MYDOMAIN.ORG
      mydomain.org = MYDOMAIN.ORG
  3. Export the keytab file with the HTTP principal and ensure the file is accessible to the process running the Keycloak server. For production, ensure that the file is readable by this process only.

    For the MIT Kerberos example above, we exported keytab to the /tmp/http.keytab file. If your Key Distribution Centre (KDC) and Keycloak run on the same host, the file is already available.

Enabling SPNEGO processing

By default, Keycloak disables SPNEGO protocol support. To enable it, go to the browser flow and enable Kerberos.

Browser flow

Browser Flow

Set the Kerberos requirement from disabled to alternative (Kerberos is optional) or required (browser must have Kerberos enabled). If you have not configured the browser to work with SPNEGO or Kerberos, Keycloak falls back to the regular login screen.

Configure Kerberos user storage federation providers

You must now use User Storage Federation to configure how Keycloak interprets Kerberos tickets. Two different federation providers exist with Kerberos authentication support.

To authenticate with Kerberos backed by an LDAP server, configure the LDAP Federation Provider.

Procedure
  1. Go to the configuration page for your LDAP provider.

    Ldap kerberos integration

    LDAP Kerberos Integration

  2. Toggle Allow Kerberos authentication to ON

Allow Kerberos authentication makes Keycloak use the Kerberos principal access user information so information can import into the Keycloak environment.

If an LDAP server is not backing up your Kerberos solution, use the Kerberos User Storage Federation Provider.

Procedure
  1. Click User Federation in the menu.

  2. Select Kerberos from the Add provider select box.

    Kerberos user storage provider

    Kerberos User Storage Provider

The Kerberos provider parses the Kerberos ticket for simple principal information and imports the information into the local Keycloak database. User profile information, such as first name, last name, and email, are not provisioned.

Setup and configuration of client machines

Client machines must have a Kerberos client and set up the krb5.conf as described above. The client machines must also enable SPNEGO login support in their browser. See configuring Firefox for Kerberos if you are using the Firefox browser.

The .mydomain.org URI must be in the network.negotiate-auth.trusted-uris configuration option.

In Windows domains, clients do not need to adjust their configuration. Internet Explorer and Edge can already participate in SPNEGO authentication.

Example setups

Keycloak and FreeIPA docker image

When you install docker, run a docker image with the FreeIPA server installed. FreeIPA provides an integrated security solution with MIT Kerberos and 389 LDAP server. The image also contains a Keycloak server configured with an LDAP Federation provider and enabled SPNEGO/Kerberos authentication against the FreeIPA server. See details here.

ApacheDS testing Kerberos server

For quick testing and unit tests, use a simple ApacheDS Kerberos server. You must build Keycloak from the source and then run the Kerberos server with the maven-exec-plugin from our test suite. See details here.

Credential delegation

Kerberos supports the credential delegation. Applications may need access to the Kerberos ticket so they can reuse it to interact with other services secured by Kerberos. Because the Keycloak server processed the SPNEGO protocol, you must propagate the GSS credential to your application within the OpenID Connect token claim or a SAML assertion attribute. Keycloak transmits this to your application from the Keycloak server. To insert this claim into the token or assertion, each application must enable the built-in protocol mapper gss delegation credential. This mapper is available in the Mappers tab of the application’s client page. See Protocol Mappers chapter for more details.

Applications must deserialize the claim it receives from Keycloak before using it to make GSS calls against other services. When you deserialize the credential from the access token to the GSSCredential object, create the GSSContext with this credential passed to the GSSManager.createContext method. For example:

// Obtain accessToken in your application.
KeycloakPrincipal keycloakPrincipal = (KeycloakPrincipal) servletReq.getUserPrincipal();
AccessToken accessToken = keycloakPrincipal.getKeycloakSecurityContext().getToken();

// Retrieve Kerberos credential from accessToken and deserialize it
String serializedGssCredential = (String) accessToken.getOtherClaims().
    get(org.keycloak.common.constants.KerberosConstants.GSS_DELEGATION_CREDENTIAL);

GSSCredential deserializedGssCredential = org.keycloak.common.util.KerberosSerializationUtils.
    deserializeCredential(serializedGssCredential);

// Create GSSContext to call other Kerberos-secured services
GSSContext context = gssManager.createContext(serviceName, krb5Oid,
    deserializedGssCredential, GSSContext.DEFAULT_LIFETIME);

Configure forwardable Kerberos tickets in krb5.conf file and add support for delegated credentials to your browser.

Credential delegation has security implications, so use it only if necessary and only with HTTPS. See this article for more details and an example.

Cross-realm trust

In the Kerberos protocol, the realm is a set of Kerberos principals. The definition of these principals exists in the Kerberos database, which is typically an LDAP server.

The Kerberos protocol allows cross-realm trust. For example, if 2 Kerberos realms, A and B, exist, then cross-realm trust will allow the users from realm A to access realm B’s resources. Realm B trusts realm A.

Kerberos cross-realm trust

kerberos trust basic

The Keycloak server supports cross-realm trust. To implement this, perform the following:

  • Configure the Kerberos servers for the cross-realm trust. Implementing this step depends on the Kerberos server implementations. This step is necessary to add the Kerberos principal krbtgt/B@A to the Kerberos databases of realm A and B. This principal must have the same keys on both Kerberos realms. The principals must have the same password, key version numbers, and ciphers in both realms. Consult the Kerberos server documentation for more details.

The cross-realm trust is unidirectional by default. You must add the principal krbtgt/A@B to both Kerberos databases for bidirectional trust between realm A and realm B. However, trust is transitive by default. If realm B trusts realm A and realm C trusts realm B, then realm C trusts realm A without the principal, krbtgt/C@A, available. Additional configuration (for example, capaths) may be necessary on the Kerberos client-side so clients can find the trust path. Consult the Kerberos documentation for more details.

  • Configure Keycloak server

    • When using an LDAP storage provider with Kerberos support, configure the server principal for realm B, as in this example: HTTP/mydomain.com@B. The LDAP server must find the users from realm A if users from realm A are to successfully authenticate to Keycloak, because Keycloak must perform the SPNEGO flow and then find the users.

Finding users is based on the LDAP storage provider option Kerberos principal attribute. When this is configured for instance with value like userPrincipalName, then after SPNEGO authentication of user john@A, Keycloak will try to lookup LDAP user with attribute userPrincipalName equivalent to john@A. If Kerberos principal attribute is left empty, then Keycloak will lookup the LDAP user based on the prefix of his kerberos principal with the realm omitted. For example, Kerberos principal user john@A must be available in the LDAP under username john, so typically under an LDAP DN such as uid=john,ou=People,dc=example,dc=com. If you want users from realm A and B to authenticate, ensure that LDAP can find users from both realms A and B.

  • When using a Kerberos user storage provider (typically, Kerberos without LDAP integration), configure the server principal as HTTP/mydomain.com@B, and users from Kerberos realms A and B must be able to authenticate.

Users from multiple Kerberos realms are allowed to authenticate as every user would have attribute KERBEROS_PRINCIPAL referring to the kerberos principal used for authentication and this is used for further lookups of this user. To avoid conflicts when there is user john in both kerberos realms A and B, the username of the Keycloak user might contain the kerberos realm lowercased. For instance username would be john@a. Just in case when realm matches with the configured Kerberos realm, the realm suffix might be omitted from the generated username. For instance username would be john for the Kerberos principal john@A as long as the Kerberos realm is configured on the Kerberos provider is A.

Troubleshooting

If you have issues, enable additional logging to debug the problem:

  • Enable Debug flag in the Admin Console for Kerberos or LDAP federation providers

  • Enable TRACE logging for category org.keycloak to receive more information in server logs

  • Add system properties -Dsun.security.krb5.debug=true and -Dsun.security.spnego.debug=true

X.509 client certificate user authentication

Keycloak supports logging in with an X.509 client certificate if you have configured the server to use mutual SSL authentication.

A typical workflow:

  • A client sends an authentication request over SSL/TLS channel.

  • During the SSL/TLS handshake, the server and the client exchange their x.509/v3 certificates.

  • The container (WildFly) validates the certificate PKIX path and the certificate expiration date.

  • The x.509 client certificate authenticator validates the client certificate by using the following methods:

    • Checks the certificate revocation status by using CRL or CRL Distribution Points.

    • Checks the Certificate revocation status by using OCSP (Online Certificate Status Protocol).

    • Validates whether the key in the certificate matches the expected key.

    • Validates whether the extended key in the certificate matches the expected extended key.

  • If any of the these checks fail, the x.509 authentication fails. Otherwise, the authenticator extracts the certificate identity and maps it to an existing user.

When the certificate maps to an existing user, the behavior diverges depending on the authentication flow:

  • In the Browser Flow, the server prompts users to confirm their identity or sign in with a username and password.

  • In the Direct Grant Flow, the server signs in the user.

Note that it is the responsibility of the web container to validate certificate PKIX path. X.509 authenticator on the Keycloak side provides just the additional support for check the certificate expiration, certificate revocation status and key usage. If you are using Keycloak deployed behind reverse proxy, make sure that your reverse proxy is configured to validate PKIX path. If you do not use reverse proxy and users directly access the WildFly, you should be fine as WildFly makes sure that PKIX path is validated as long as it is configured as described below.

Features

Supported Certificate Identity Sources:

  • Match SubjectDN by using regular expressions

  • X500 Subject’s email attribute

  • X500 Subject’s email from Subject Alternative Name Extension (RFC822Name General Name)

  • X500 Subject’s other name from Subject Alternative Name Extension. This other name is the User Principal Name (UPN), typically.

  • X500 Subject’s Common Name attribute

  • Match IssuerDN by using regular expressions

  • Certificate Serial Number

  • Certificate Serial Number and IssuerDN

  • SHA-256 Certificate thumbprint

  • Full certificate in PEM format

Regular expressions

Keycloak extracts the certificate identity from Subject DN or Issuer DN by using a regular expression as a filter. For example, this regular expression matches the email attribute:

emailAddress=(.*?)(?:,|$)

The regular expression filtering applies if the Identity Source is set to either Match SubjectDN using regular expression or Match IssuerDN using regular expression.

Mapping certificate identity to an existing user

The certificate identity mapping can map the extracted user identity to an existing user’s username, email, or a custom attribute whose value matches the certificate identity. For example, setting Identity source to Subject’s email or User mapping method to Username or email makes the X.509 client certificate authenticator use the email attribute in the certificate’s Subject DN as the search criteria when searching for an existing user by username or by email.

  • If you disable Login with email at realm settings, the same rules apply to certificate authentication. Users are unable to log in by using the email attribute.

  • Using Certificate Serial Number and IssuerDN as an identity source requires two custom attributes for the serial number and the IssuerDN.

  • SHA-256 Certificate thumbprint is the lowercase hexadecimal representation of SHA-256 certificate thumbprint.

  • Using Full certificate in PEM format as an identity source is limited to the custom attributes mapped to external federation sources, such as LDAP. Keycloak cannot store certificates in its database due to length limitations, so in the case of LDAP, you must enable Always Read Value From LDAP.

Extended certificate validation
  • Revocation status checking using CRL.

  • Revocation status checking using CRL/Distribution Point.

  • Revocation status checking using OCSP/Responder URI.

  • Certificate KeyUsage validation.

  • Certificate ExtendedKeyUsage validation.

Adding X.509 client certificate authentication to browser flows

  1. Click Authentication in the menu.

  2. Click the Browser flow.

  3. From the Action list, select Duplicate.

  4. Enter a name for the copy.

  5. Click Duplicate.

  6. Click Add step.

  7. Click "X509/Validate Username Form".

  8. Click Add.

    X509 execution

    X509 Execution

  9. Click and drag the "X509/Validate Username Form" over the "Browser Forms" execution.

  10. Set the requirement to "ALTERNATIVE".

    X509 browser flow

    X509 Browser Flow

  11. Click the Action menu.

  12. Click the Bind flow.

  13. Click the Browser flow from the drop-down list.

  14. Click Save.

    X509 browser flow bindings

    X509 Browser Flow Bindings

Configuring X.509 client certificate authentication

X509 configuration

X509 Configuration

User Identity Source

Defines the method for extracting the user identity from a client certificate.

Canonical DN representation enabled

Defines whether to use canonical format to determine a distinguished name. The official Java API documentation describes the format. This option affects the two User Identity Sources Match SubjectDN using regular expression and Match IssuerDN using regular expression only. Enable this option when you set up a new Keycloak instance. Disable this option to retain backward compatibility with existing Keycloak instances.

Enable Serial Number hexadecimal representation

Represent the serial number as hexadecimal. The serial number with the sign bit set to 1 must be left padded with 00 octet. For example, a serial number with decimal value 161, or a1 in hexadecimal representation is encoded as 00a1, according to RFC5280. See RFC5280, appendix-B for more details.

A regular expression

A regular expression to use as a filter for extracting the certificate identity. The expression must contain a single group.

User Mapping Method

Defines the method to match the certificate identity with an existing user. Username or email searches for existing users by username or email. Custom Attribute Mapper searches for existing users with a custom attribute that matches the certificate identity. The name of the custom attribute is configurable.

A name of user attribute

A custom attribute whose value matches against the certificate identity. Use multiple custom attributes when attribute mapping is related to multiple values, For example, 'Certificate Serial Number and IssuerDN'.

CRL Checking Enabled

Check the revocation status of the certificate by using the Certificate Revocation List. The location of the list is defined in the CRL file path attribute.

Enable CRL Distribution Point to check certificate revocation status

Use CDP to check the certificate revocation status. Most PKI authorities include CDP in their certificates.

CRL file path

The path to a file containing a CRL list. The value must be a path to a valid file if the CRL Checking Enabled option is enabled.

OCSP Checking Enabled

Checks the certificate revocation status by using Online Certificate Status Protocol.

OCSP Fail-Open Behavior

By default the OCSP check must return a positive response in order to continue with a successful authentication. Sometimes however this check can be inconclusive: for example, the OCSP server could be unreachable, overloaded, or the client certificate may not contain an OCSP responder URI. When this setting is turned ON, authentication will be denied only if an explicit negative response is received by the OCSP responder and the certificate is definitely revoked. If a valid OCSP response is not available the authentication attempt will be accepted.

OCSP Responder URI

Override the value of the OCSP responder URI in the certificate.

Validate Key Usage

Verifies the certificate’s KeyUsage extension bits are set. For example, "digitalSignature,KeyEncipherment" verifies if bits 0 and 2 in the KeyUsage extension are set. Leave this parameter empty to disable the Key Usage validation. See RFC5280, Section-4.2.1.3 for more information. Keycloak raises an error when a key usage mismatch occurs.

Validate Extended Key Usage

Verifies one or more purposes defined in the Extended Key Usage extension. See RFC5280, Section-4.2.1.12 for more information. Leave this parameter empty to disable the Extended Key Usage validation. Keycloak raises an error when flagged as critical by the issuing CA and a key usage extension mismatch occurs.

Validate Certificate Policy

Verifies one or more policy OIDs as defined in the Certificate Policy extension. See RFC5280, Section-4.2.1.4. Leave the parameter empty to disable the Certificate Policy validation. Multiple policies should be separated using a comma.

Certificate Policy Validation Mode

When more than one policy is specified in the Validate Certificate Policy setting, it decides whether the matching should check for all requested policies to be present, or one match is enough for a successful authentication. Default value is All, meaning that all requested policies should be present in the client certificate.

Bypass identity confirmation

If enabled, X.509 client certificate authentication does not prompt the user to confirm the certificate identity. Keycloak signs in the user upon successful authentication.

Revalidate client certificate

If set, the client certificate trust chain will be always verified at the application level using the certificates present in the configured trust store. This can be useful if the underlying web server does not enforce client certificate chain validation, for example because it is behind a non-validating load balancer or reverse proxy, or when the number of allowed CAs is too large for the mutual SSL negotiation (most browsers cap the maximum SSL negotiation packet size at 32767 bytes, which corresponds to about 200 advertised CAs). By default this option is off.

Adding X.509 Client Certificate Authentication to a Direct Grant Flow

  1. Click Authentication in the menu.

  2. Select Duplicate from the "Action list" to make a copy of the built-in "Direct grant" flow.

  3. Enter a name for the copy.

  4. Click Duplicate.

  5. Click the created flow.

  6. Click the trash can icon 🗑️ of the "Username Validation" and click Delete.

  7. Click the trash can icon 🗑️ of the "Password" and click Delete.

  8. Click Add step.

  9. Click "X509/Validate Username".

  10. Click Add.

    X509 direct grant execution

    X509 Direct Grant Execution

  11. Set up the x509 authentication configuration by following the steps described in the x509 Browser Flow section.

  12. Click the Bindings tab.

  13. Click the Direct Grant Flow drop-down list.

  14. Click the newly created "x509 Direct Grant" flow.

  15. Click Save.

    X509 direct grant flow bindings

    X509 Direct Grant Flow Bindings

Example using CURL

The following example shows how to obtain an access token for a user in the realm test with the direct grant flow. The example is using OAuth2 Resource Owner Password Credentials Grant in the securing apps section and the confidential client resource-owner:

curl \
  -d "client_id=resource-owner" \
  -d "client_secret=40cc097b-2a57-4c17-b36a-8fdf3fc2d578" \
  -d "grant_type=password" \
  --cacert /tmp/truststore.pem \
  --cert /tmp/keystore.pem:kssecret \
  "https://localhost:8543/realms/test/protocol/openid-connect/token"

The file /tmp/truststore.pem points to the file with the truststore containing the certificate of the Keycloak server. The file /tmp/keystore.pem contains the private key and certificates corresponding to the Keycloak user, which would be successfully authenticated by this request. It is dependent on the configuration of the authenticator on how exactly is the content from the certificate mapped to the Keycloak user as described in the configuration section. The kssecret might be the password of this keystore file.

According to your environment, it might be needed to use more options to CURL commands like for instance:

  • Option --insecure if you are using self-signed certificates

  • Option --capath to include the whole directory containing the certificate authority path

  • Options --cert-type or --key-type in case you want to use different files than PEM

Please consult the documentation of the curl tool for the details if needed. If you are using other tools than curl, consult the documentation of your tool. However, the setup would be similar. A need exists to include keystore and truststore as well as client credentials in case you are using a confidential client.

If it is possible, it is preferred to use Service accounts together with the MTLS client authentication (client authenticator X509 Certificate) rather than using the Direct grant with X.509 authentication as direct grant may require sharing of the user certificate with client applications. When using service account, the tokens are obtained on behalf of the client itself, which in general is better and more secure practice.

W3C Web Authentication (WebAuthn)

Keycloak provides support for W3C Web Authentication (WebAuthn). Keycloak works as a WebAuthn’s Relying Party (RP).

WebAuthn’s operations success depends on the user’s WebAuthn supporting authenticator, browser, and platform. Make sure your authenticator, browser, and platform support the WebAuthn specification.

Setup

The setup procedure of WebAuthn support for 2FA is the following:

Enable WebAuthn authenticator registration
  1. Click Authentication in the menu.

  2. Click the Required Actions tab.

  3. Toggle the Webauthn Register switch to ON.

Toggle the Default Action switch to ON if you want all new users to be required to register their WebAuthn credentials.

Adding WebAuthn authentication to a browser flow

  1. Click Authentication in the menu.

  2. Click the Browser flow.

  3. Select Duplicate from the "Action list" to make a copy of the built-in Browser flow.

  4. Enter "WebAuthn Browser" as the name of the copy.

  5. Click Duplicate.

  6. Click the name to go to the details

  7. Click the trash can icon 🗑️ of the "WebAuthn Browser Browser - Conditional OTP" and click Delete.

If you require WebAuthn for all users:

  1. Click + menu of the WebAuthn Browser Forms.

  2. Click Add step.

  3. Click WebAuthn Authenticator.

  4. Click Add.

  5. Select Required for the WebAuthn Authenticator authentication type to set its requirement to required.

    Webauthn browser flow required

  6. Click the Action menu at the top of the screen.

  7. Select Bind flow from the drop-down list.

  8. Select Browser from the drop-down list.

  9. Click Save.

If a user does not have WebAuthn credentials, the user must register WebAuthn credentials.

Users can log in with WebAuthn if they have a WebAuthn credential registered only. So instead of adding the WebAuthn Authenticator execution, you can:

Procedure
  1. Click + menu of the WebAuthn Browser Forms row.

  2. Click Add sub-flow.

  3. Enter "Conditional 2FA" for the name field.

  4. Select Conditional for the Conditional 2FA to set its requirement to conditional.

  5. On the Conditional 2FA row, click the plus sign + and select Add condition.

  6. Click Add condition.

  7. Select Condition - User Configured.

  8. Click Add.

  9. Select Required for the Condition - User Configured to set its requirement to required.

  10. Drag and drop WebAuthn Authenticator into the Conditional 2FA flow

  11. Select Alternative for the WebAuthn Authenticator to set its requirement to alternative.

    Webauthn browser flow conditional

The user can choose between using WebAuthn and OTP for the second factor:

Procedure
  1. On the Conditional 2FA row, click the plus sign + and select Add step.

  2. Select OTP Form from the list.

  3. Click Add.

  4. Select Alternative for the OTP Form to set its requirement to alternative.

    WebAuthn browser flow conditional with OTP

Authenticate with WebAuthn authenticator

After registering a WebAuthn authenticator, the user carries out the following operations:

  • Open the login form. The user must authenticate with a username and password.

  • The user’s browser asks the user to authenticate by using their WebAuthn authenticator.

Managing WebAuthn as an administrator

Managing credentials

Keycloak manages WebAuthn credentials similarly to other credentials from User credential management:

  • Keycloak assigns users a required action to create a WebAuthn credential from the Reset Actions list and select Webauthn Register.

  • Administrators can delete a WebAuthn credential by clicking Delete.

  • Administrators can view the credential’s data, such as the AAGUID, by selecting Show data…​.

  • Administrators can set a label for the credential by setting a value in the User Label field and saving the data.

Managing policy

Administrators can configure WebAuthn related operations as WebAuthn Policy per realm.

Procedure
  1. Click Authentication in the menu.

  2. Click the Policy tab.

  3. Click the WebAuthn Policy tab.

  4. Configure the items within the policy (see description below).

  5. Click Save.

The configurable items and their description are as follows:

Configuration Description

Relying Party Entity Name

The readable server name as a WebAuthn Relying Party. This item is mandatory and applies to the registration of the WebAuthn authenticator. The default setting is "keycloak". For more details, see WebAuthn Specification.

Signature Algorithms

The algorithms telling the WebAuthn authenticator which signature algorithms to use for the Public Key Credential. Keycloak uses the Public Key Credential to sign and verify Authentication Assertions. If no algorithms exist, the default ES256 and RS256 is adapted. ES256 and RS256 are an optional configuration item applying to the registration of WebAuthn authenticators. For more details, see WebAuthn Specification.

Relying Party ID

The ID of a WebAuthn Relying Party that determines the scope of Public Key Credentials. The ID must be the origin’s effective domain. This ID is an optional configuration item applied to the registration of WebAuthn authenticators. If this entry is blank, Keycloak adapts the host part of Keycloak’s base URL. For more details, see WebAuthn Specification.

Attestation Conveyance Preference

The WebAuthn API implementation on the browser (WebAuthn Client) is the preferential method to generate Attestation statements. This preference is an optional configuration item applying to the registration of the WebAuthn authenticator. If no option exists, its behavior is the same as selecting "none". For more details, see WebAuthn Specification.

Authenticator Attachment

The acceptable attachment pattern of a WebAuthn authenticator for the WebAuthn Client. This pattern is an optional configuration item applying to the registration of the WebAuthn authenticator. For more details, see WebAuthn Specification.

Require Discoverable Credential

The option requiring that the WebAuthn authenticator generates the Public Key Credential as Client-side discoverable Credential. This option applies to the registration of the WebAuthn authenticator. If left blank, its behavior is the same as selecting "No". For more details, see WebAuthn Specification.

User Verification Requirement

The option requiring that the WebAuthn authenticator confirms the verification of a user. This is an optional configuration item applying to the registration of a WebAuthn authenticator and the authentication of a user by a WebAuthn authenticator. If no option exists, its behavior is the same as selecting "preferred". For more details, see WebAuthn Specification for registering a WebAuthn authenticator and WebAuthn Specification for authenticating the user by a WebAuthn authenticator.

Timeout

The timeout value, in seconds, for registering a WebAuthn authenticator and authenticating the user by using a WebAuthn authenticator. If set to zero, its behavior depends on the WebAuthn authenticator’s implementation. The default value is 0. For more details, see WebAuthn Specification for registering a WebAuthn authenticator and WebAuthn Specification for authenticating the user by a WebAuthn authenticator.

Avoid Same Authenticator Registration

If enabled, Keycloak cannot re-register an already registered WebAuthn authenticator.

Acceptable AAGUIDs

The white list of AAGUIDs which a WebAuthn authenticator must register against.

Attestation statement verification

When registering a WebAuthn authenticator, Keycloak verifies the trustworthiness of the attestation statement generated by the WebAuthn authenticator. Keycloak requires the trust anchor’s certificates imported into the truststore.

To omit this validation, disable this truststore or set the WebAuthn policy’s configuration item "Attestation Conveyance Preference" to "none".

Managing WebAuthn credentials as a user

Register WebAuthn authenticator

The appropriate method to register a WebAuthn authenticator depends on whether the user has already registered an account on Keycloak.

New user

If the WebAuthn Register required action is Default Action in a realm, new users must set up the Passkey after their first login.

Procedure
  1. Open the login form.

  2. Click Register.

  3. Fill in the items on the form.

  4. Click Register.

After successfully registering, the browser asks the user to enter the text of their WebAuthn authenticator’s label.

Existing user

If WebAuthn Authenticator is set up as required as shown in the first example, then when existing users try to log in, they are required to register their WebAuthn authenticator automatically:

Procedure
  1. Open the login form.

  2. Enter the items on the form.

  3. Click Save.

  4. Click Login.

After successful registration, the user’s browser asks the user to enter the text of their WebAuthn authenticator’s label.

Passwordless WebAuthn together with Two-Factor

Keycloak uses WebAuthn for two-factor authentication, but you can use WebAuthn as the first-factor authentication. In this case, users with passwordless WebAuthn credentials can authenticate to Keycloak without a password. Keycloak can use WebAuthn as both the passwordless and two-factor authentication mechanism in the context of a realm and a single authentication flow.

An administrator typically requires that Passkeys registered by users for the WebAuthn passwordless authentication meet different requirements. For example, the Passkeys may require users to authenticate to the Passkey using a PIN, or the Passkey attests with a stronger certificate authority.

Because of this, Keycloak permits administrators to configure a separate WebAuthn Passwordless Policy. There is a required Webauthn Register Passwordless action of type and separate authenticator of type WebAuthn Passwordless Authenticator.

Setup

Set up WebAuthn passwordless support as follows:

  1. (if not already present) Register a new required action for WebAuthn passwordless support. Use the steps described in Enable WebAuthn Authenticator Registration. Register the Webauthn Register Passwordless action.

  2. Configure the policy. You can use the steps and configuration options described in Managing Policy. Perform the configuration in the Admin Console in the tab WebAuthn Passwordless Policy. Typically the requirements for the Passkey will be stronger than for the two-factor policy. For example, you can set the User Verification Requirement to Required when you configure the passwordless policy.

  3. Configure the authentication flow. Use the WebAuthn Browser flow described in Adding WebAuthn Authentication to a Browser Flow. Configure the flow as follows:

    • The WebAuthn Browser Forms subflow contains Username Form as the first authenticator. Delete the default Username Password Form authenticator and add the Username Form authenticator. This action requires the user to provide a username as the first step.

    • There will be a required subflow, which can be named Passwordless Or Two-factor, for example. This subflow indicates the user can authenticate with Passwordless WebAuthn credential or with Two-factor authentication.

    • The flow contains WebAuthn Passwordless Authenticator as the first alternative.

    • The second alternative will be a subflow named Password And Two-factor Webauthn, for example. This subflow contains a Password Form and a WebAuthn Authenticator.

The final configuration of the flow looks similar to this:

PasswordLess flow

PasswordLess flow

You can now add WebAuthn Register Passwordless as the required action to a user, already known to Keycloak, to test this. During the first authentication, the user must use the password and second-factor WebAuthn credential. The user does not need to provide the password and second-factor WebAuthn credential if they use the WebAuthn Passwordless credential.

LoginLess WebAuthn

Keycloak uses WebAuthn for two-factor authentication, but you can use WebAuthn as the first-factor authentication. In this case, users with passwordless WebAuthn credentials can authenticate to Keycloak without submitting a login or a password. Keycloak can use WebAuthn as both the loginless/passwordless and two-factor authentication mechanism in the context of a realm.

An administrator typically requires that Passkeys registered by users for the WebAuthn loginless authentication meet different requirements. Loginless authentication requires users to authenticate to the Passkey (for example by using a PIN code or a fingerprint) and that the cryptographic keys associated with the loginless credential are stored physically on the Passkey. Not all Passkeys meet that kind of requirement. Check with your Passkey vendor if your device supports 'user verification' and 'discoverable credential'. See Supported Passkeys.

Keycloak permits administrators to configure the WebAuthn Passwordless Policy in a way that allows loginless authentication. Note that loginless authentication can only be configured with WebAuthn Passwordless Policy and with WebAuthn Passwordless credentials. WebAuthn loginless authentication and WebAuthn passwordless authentication can be configured on the same realm but will share the same policy WebAuthn Passwordless Policy.

Setup
Procedure

Set up WebAuthn Loginless support as follows:

  1. (if not already present) Register a new required action for WebAuthn passwordless support. Use the steps described in Enable WebAuthn Authenticator Registration. Register the Webauthn Register Passwordless action.

  2. Configure the WebAuthn Passwordless Policy. Perform the configuration in the Admin Console, Authentication section, in the tab PoliciesWebAuthn Passwordless Policy. You have to set User Verification Requirement to required and Require Discoverable Credential to Yes when you configure the policy for loginless scenario. Note that since there isn’t a dedicated Loginless policy it won’t be possible to mix authentication scenarios with user verification=no/discoverable credential=no and loginless scenarios (user verification=yes/discoverable credential=yes). Storage capacity is usually very limited on Passkeys meaning that you won’t be able to store many discoverable credentials on your Passkey.

  3. Configure the authentication flow. Create a new authentication flow, add the "WebAuthn Passwordless" execution and set the Requirement setting of the execution to Required

The final configuration of the flow looks similar to this:

LoginLess flow

LoginLess flow

You can now add the required action WebAuthn Register Passwordless to a user, already known to Keycloak, to test this. The user with the required action configured will have to authenticate (with a username/password for example) and will then be prompted to register a Passkey to be used for loginless authentication.

Vendor specific remarks
Compatibility check list

Loginless authentication with Keycloak requires the Passkey to meet the following features

  • FIDO2 compliance: not to be confused with FIDO/U2F

  • User verification: the ability for the Passkey to authenticate the user (prevents someone finding your Passkey to be able to authenticate loginless and passwordless)

  • Discoverable Credential: the ability for the Passkey to store the login and the cryptographic keys associated with the client application

Windows Hello

To use Windows Hello based credentials to authenticate against Keycloak, configure the Signature Algorithms setting of the WebAuthn Passwordless Policy to include the RS256 value. Note that some browsers don’t allow access to platform Passkey (like Windows Hello) inside private windows.

Supported Passkeys

The following Passkeys have been successfully tested for loginless authentication with Keycloak:

  • Windows Hello (Windows 10 21H1/21H2)

  • Yubico Yubikey 5 NFC

  • Feitian ePass FIDO-NFC

Passkeys

Keycloak provides preview support for Passkeys. Keycloak works as a Passkeys Relying Party (RP).

Passkey registration and authentication are realized by the features of WebAuthn. Therefore, users of Keycloak can do Passkey registration and authentication by existing WebAuthn registration and authentication.

Both synced Passkeys and device-bound Passkeys can be used for both Same-Device and Cross-Device Authentication (CDA). However, Passkeys operations success depends on the user’s environment. Make sure which operations can succeed in the environment.

Passkey Authentication with Conditional UI

Passkey Authentication with Conditional UI can authenticate a user with its passkey in the same way as in LoginLess WebAuthn. This authentication shows a user a list of passkeys stored on a device where the user runs a browser. Therefore, the user can select one of the passkeys in the list to authenticate them. Compared with LoginLess WebAuthn, the authentication improves the user’s experience of authentication.

This authentication uses the WebAuthn Conditional UI. Therefore, this authentication success depends on the user’s environment. If the environment does not support WebAuthn Conditional UI, this authentication falls back to LoginLess WebAuthn.

Passkey Authentication is Preview and is not fully supported. This feature is disabled by default.

To enable start the server with --features=preview or --features=passkeys

Setup
Procedure

Set up Passkey Authentication with Conditional UI as follows:

  1. (if not already present) Register a new required action for WebAuthn passwordless support. Use the steps described in Enable WebAuthn Authenticator Registration. Register the Webauthn Register Passwordless action.

  2. Configure the WebAuthn Passwordless Policy. Perform the configuration in the Admin Console, Authentication section, in the tab PoliciesWebAuthn Passwordless Policy. Set User Verification Requirement to required and Require discoverable credential to Yes when you configure the policy for loginless scenario. Note that since there is no dedicated Loginless policy, it is impossible to mix authentication scenarios with user verification=no/discoverable credential=no and loginless scenarios (user verification=yes/discoverable credential=yes).

    Storage capacity is usually very limited on hardware passkeys meaning that you cannot store many discoverable credentials on your passkey. However, this limitation may be mitigated for instance if you use an Android phone backed by a Google account as a passkey device or an iPhone backed by Bitwarden.
  3. Configure the authentication flow. Create a new authentication flow, add the Passkeys Conditional UI Authenticator execution and set the Requirement setting of the execution to Required.

    The final configuration of the flow looks similar to this: Passkey Authentication with Conditional UI flow flow

  4. Bind the flow above as a browser authentication flow in the realm as described in the WebAuthn section above.

The authentication flow above requires that user must already have passkey credential on his or her account to be able to log in. This requirement means that all users in the realm must have passkeys already set. That can be achieved for instance by enabling user registration as described below.

Setup of the registration for passkeys conditional UI
  1. Enable registration for your realm

  2. In the authentication flows of the realm, select flow registration and switch the authenticator Password validation to Disabled. This means that newly registered users will not be required to create the passwords in this example setup. Users must always use passkeys instead of passwords.

  3. Return to the Required actions sub-tab of the tab Authentication tab and find the Webauthn Register Passwordless action and mark it with Set as default action. This means that it would be added to all new users after their registration.

The alternative to the registration flow setup is to add the required action WebAuthn Register Passwordless to a user who is already known to Keycloak. The user with the required action configured will have to authenticate (with a username/password for example) and will then be prompted to register a passkey to be used for loginless authentication.

We plan to improve the usability and allow integration of conditional passkeys with the existing authenticators and forms such as the default username / password form.

From Web Authn Level 3, Resident Key was replaced with Discoverable Credential.

If a user’s browser supports WebAuthn Conditional UI, the follwing screen is shown.

Passkey Authentication with Conditional UI

Passkey Authentication with Conditional UI

When the user clicks the Select your passkey textbox, a list of passkeys stored on a device where the user runs a browse is shown as follows.

Passkey Authentication with Conditional UI Autofill

Passkey Authentication with Conditional UI Autofill

If a user’s browser does not support WebAuthn Conditional UI, the authenticaion falls back to the LoginLess WebAuthn as follows.

Passkey Authentication with Conditional UI falling back to LoginLess WebAuthn

Passkey Authentication with Conditional UI falling back to LoginLess WebAuthn

Recovery Codes (RecoveryCodes)

You can configure Recovery codes for two-factor authentication by adding 'Recovery Authentication Code Form' as a two-factor authenticator to your authentication flow. For an example of configuring this authenticator, see WebAuthn.

RecoveryCodes is Preview and is not fully supported. This feature is disabled by default.

To enable start the server with --features=preview or --features=recovery-codes

Conditions in conditional flows

As was mentioned in Execution requirements, Condition executions can be only contained in Conditional subflow. If all Condition executions evaluate as true, then the Conditional sub-flow acts as Required. You can process the next execution in the Conditional sub-flow. If some executions included in the Conditional sub-flow evaluate as false, then the whole sub-flow is considered as Disabled.

Available conditions

Condition - User Role

This execution has the ability to determine if the user has a role defined by User role field. If the user has the required role, the execution is considered as true and other executions are evaluated. The administrator has to define the following fields:

Alias

Describes a name of the execution, which will be shown in the authentication flow.

User role

Role the user should have to execute this flow. To specify an application role the syntax is appname.approle (for example myapp.myrole).

Condition - User Configured

This checks if the other executions in the flow are configured for the user. The Execution requirements section includes an example of the OTP form.

Condition - User Attribute

This checks if the user has set up the required attribute: optionally, the check can also evaluate the group attributes. There is a possibility to negate output, which means the user should not have the attribute. The User Attributes section shows how to add a custom attribute. You can provide these fields:

Alias

Describes a name of the execution, which will be shown in the authentication flow.

Attribute name

Name of the attribute to check.

Expected attribute value

Expected value in the attribute.

Include group attributes

If On, the condition checks if any of the joined group has one attribute matching the configured name and value: this option can affect performance

Negate output

You can negate the output. In other words, the attribute should not be present.

Explicitly deny/allow access in conditional flows

You can allow or deny access to resources in a conditional flow. The two authenticators Deny Access and Allow Access control access to the resources by conditions.

Allow Access

Authenticator will always successfully authenticate. This authenticator is not configurable.

Deny Access

Access will always be denied. You can define an error message, which will be shown to the user. You can provide these fields:

Alias

Describes a name of the execution, which will be shown in the authentication flow.

Error message

Error message which will be shown to the user. The error message could be provided as a particular message or as a property in order to use it with localization. (i.e. "You do not have the role 'admin'.", my-property-deny in messages properties) Leave blank for the default message defined as property access-denied.

Here is an example how to deny access to all users who do not have the role role1 and show an error message defined by a property deny-role1. This example includes Condition - User Role and Deny Access executions.

Browser flow

Deny access flow

Condition - user role configuration

Deny access role settings

Configuration of the Deny Access is really easy. You can specify an arbitrary Alias and required message like this:

Deny access execution settings

The last thing is defining the property with an error message in the login theme messages_en.properties (for English):

deny-role1 = You do not have required role!

Authentication sessions

When a login page is opened for the first time in a web browser, Keycloak creates an object called authentication session that stores some useful information about the request. Whenever a new login page is opened from a different tab in the same browser, Keycloak creates a new record called authentication sub-session that is stored within the authentication session. Authentication requests can come from any type of clients such as the Admin CLI. In that case, a new authentication session is also created with one authentication sub-session. Please note that authentication sessions can be created also in other ways than using a browser flow.

The authentication session usually expires after 30 minutes by default. The exact time is specified by the Login timeout switch in the Sessions tab of the admin console when configuring realms.

Authentication in more browser tabs

As described in the previous section, a situation can involve a user who is trying to authenticate to the Keycloak server from multiple tabs of a single browser. However, when that user authenticates in one browser tab, the other browser tabs will automatically restart the authentication. This authentication occurs due to the small javascript available on the Keycloak login pages. The restart will typically authenticate the user in other browser tabs and redirect to clients because there is an SSO session now due to the fact that the user just successfully authenticated in first browser tab. Some rare exceptions exist when a user is not automatically authenticated in other browser tabs, such as for instance when using an OIDC parameter prompt=login or step-up authentication requesting a stronger authentication factor than the currently authenticated factor.

In some rare cases, it can happen that after authentication in the first browser tab, other browser tabs are not able to restart authentication because the authentication session is already expired. In this case, the particular browser tab will redirect the error about the expired authentication session back to the client in a protocol specific way. For more details, see the corresponding sections of OIDC documentation in the securing apps section. When the client application receives such an error, it can immediately resubmit the OIDC/SAML authentication request to Keycloak as this should usually automatically authenticate the user due to the existing SSO session as described earlier. As a result, the end user is authenticated automatically in all browser tabs. The Keycloak JavaScript adapter in the securing apps section, and Keycloak Identity provider support to handle this error automatically and retry the authentication to the Keycloak server in such a case.

Integrating identity providers

An Identity Broker is an intermediary service connecting service providers with identity providers. The identity broker creates a relationship with an external identity provider to use the provider’s identities to access the internal services the service provider exposes.

From a user perspective, identity brokers provide a user-centric, centralized way to manage identities for security domains and realms. You can link an account with one or more identities from identity providers or create an account based on the identity information from them.

An identity provider derives from a specific protocol used to authenticate and send authentication and authorization information to users. It can be:

  • A social provider such as Facebook, Google, or Twitter.

  • A business partner whose users need to access your services.

  • A cloud-based identity service you want to integrate.

Typically, Keycloak bases identity providers on the following protocols:

  • SAML v2.0

  • OpenID Connect v1.0

  • OAuth v2.0

Brokering overview

When using Keycloak as an identity broker, Keycloak does not force users to provide their credentials to authenticate in a specific realm. Keycloak displays a list of identity providers from which they can authenticate.

If you configure a default identity provider, Keycloak redirects users to the default provider.

Different protocols may require different authentication flows. All the identity providers supported by Keycloak use the following flow.

Identity broker flow

Identity broker flow

  1. The unauthenticated user requests a protected resource in a client application.

  2. The client application redirects the user to Keycloak to authenticate.

  3. Keycloak displays the login page with a list of identity providers configured in a realm.

  4. The user selects one of the identity providers by clicking its button or link.

  5. Keycloak issues an authentication request to the target identity provider requesting authentication and redirects the user to the identity provider’s login page. The administrator has already set the connection properties and other configuration options for the Admin Console’s identity provider.

  6. The user provides credentials or consents to authenticate with the identity provider.

  7. Upon successful authentication by the identity provider, the user redirects back to Keycloak with an authentication response. Usually, the response contains a security token used by Keycloak to trust the identity provider’s authentication and retrieve user information.

  8. Keycloak checks if the response from the identity provider is valid. If valid, Keycloak imports and creates a user if the user does not already exist. Keycloak may ask the identity provider for further user information if the token does not contain that information. This behavior is identity federation. If the user already exists, Keycloak may ask the user to link the identity returned from the identity provider with the existing account. This behavior is account linking. With Keycloak, you can configure Account linking and specify it in the First Login Flow. At this step, Keycloak authenticates the user and issues its token to access the requested resource in the service provider.

  9. When the user authenticates, Keycloak redirects the user to the service provider by sending the token previously issued during the local authentication.

  10. The service provider receives the token from Keycloak and permits access to the protected resource.

Variations of this flow are possible. For example, the client application can request a specific identity provider rather than displaying a list of them, or you can set Keycloak to force users to provide additional information before federating their identity.

At the end of the authentication process, Keycloak issues its token to client applications. Client applications are separate from the external identity providers, so they cannot see the client application’s protocol or how they validate the user’s identity. The provider only needs to know about Keycloak.

Default Identity Provider

Keycloak can redirect to an identity provider rather than displaying the login form. To enable this redirection:

Procedure
  1. Click Authentication in the menu.

  2. Click the Browser flow.

  3. Click the gear icon ⚙️ on the Identity Provider Redirector row.

  4. Set Default Identity Provider to the identity provider you want to redirect users to.

If Keycloak does not find the configured default identity provider, the login form is displayed.

This authenticator is responsible for processing the kc_idp_hint query parameter. See the client suggested identity provider section for more information.

General configuration

The foundations of the identity broker configuration are identity providers (IDPs). Keycloak creates identity providers for each realm and enables them for every application by default. Users from a realm can use any of the registered identity providers when signing in to an application.

Procedure
  1. Click Identity Providers in the menu.

    Identity Providers

    Identity Providers

  2. Select an identity provider. Keycloak displays the configuration page for the identity provider you selected.

    Add Facebook identity Provider

    Add Facebook Identity Provider

    When you configure an identity provider, the identity provider appears on the Keycloak login page as an option. You can place custom icons on the login screen for each identity provider. See custom icons for more information.

    IDP login page

    identity provider login page

    Social

    Social providers enable social authentication in your realm. With Keycloak, users can log in to your application using a social network account. Supported providers include Twitter, Facebook, Google, LinkedIn, Instagram, Microsoft, PayPal, Openshift v3, GitHub, GitLab, Bitbucket, and Stack Overflow.

    Protocol-based

    Protocol-based providers rely on specific protocols to authenticate and authorize users. Using these providers, you can connect to any identity provider compliant with a specific protocol. Keycloak provides support for SAML v2.0 and OpenID Connect v1.0 protocols. You can configure and broker any identity provider based on these open standards.

Although each type of identity provider has its configuration options, all share a common configuration. The following configuration options available:

Table 1. Common Configuration
Configuration Description

Alias

The alias is a unique identifier for an identity provider and references an internal identity provider. Keycloak uses the alias to build redirect URIs for OpenID Connect protocols that require a redirect URI or callback URL to communicate with an identity provider. All identity providers must have an alias. Alias examples include facebook, google, and idp.acme.com.

Enabled

Toggles the provider ON or OFF.

Hide on Login Page

When ON, Keycloak does not display this provider as a login option on the login page. Clients can request this provider by using the 'kc_idp_hint' parameter in the URL to request a login.

Account Linking Only

When ON, Keycloak links existing accounts with this provider. This provider cannot log users in, and Keycloak does not display this provider as an option on the login page.

Store Tokens

When ON, Keycloak stores tokens from the identity provider.

Stored Tokens Readable

When ON, users can retrieve the stored identity provider token. This action also applies to the broker client-level role read token.

Trust Email

When ON, Keycloak trusts email addresses from the identity provider. If the realm requires email validation, users that log in from this identity provider do not need to perform the email verification process.

GUI Order

The sort order of the available identity providers on the login page.

Verify essential claim

When ON, ID tokens issued by the identity provider must have a specific claim, otherwise, the user can not authenticate through this broker

Essential claim

When Verify essential claim is ON, the name of the JWT token claim to filter (match is case sensitive)

Essential claim value

When Verify essential claim is ON, the value of the JWT token claim to match (supports regular expression format)

First Login Flow

The authentication flow Keycloak triggers when users use this identity provider to log into Keycloak for the first time.

Post Login Flow

The authentication flow Keycloak triggers when a user finishes logging in with the external identity provider.

Sync Mode

Strategy to update user information from the identity provider through mappers. When choosing legacy, Keycloak used the current behavior. Import does not update user data and force updates user data when possible. See Identity Provider Mappers for more information.

Case-sensitive username

If enabled, the original username from the identity provider is kept as is when federating users. Otherwise, the username from the identity provider is lower-cased and might not match the original value if it is case-sensitive. This setting only affects the username associated with the federated identity as usernames in the server are always in lower-case.

Social Identity Providers

A social identity provider can delegate authentication to a trusted, respected social media account. Keycloak includes support for social networks such as Google, Facebook, Twitter, GitHub, LinkedIn, Microsoft, and Stack Overflow.

Bitbucket

To log in with Bitbucket, perform the following procedure.

Procedure
  1. Click Identity Providers in the menu.

  2. From the Add provider list, select Bitbucket.

    Add identity provider

    Add Identity Provider

  3. Copy the value of Redirect URI to your clipboard.

  4. In a separate browser tab, perform the OAuth on Bitbucket Cloud process. When you click Add Consumer:

    1. Paste the value of Redirect URI into the Callback URL field.

    2. Ensure you select Email and Read in the Account section to permit your application to read email.

  5. Note the Key and Secret values Bitbucket displays when you create your consumer.

  6. In Keycloak, paste the value of the Key into the Client ID field.

  7. In Keycloak, paste the value of the Secret into the Client Secret field.

  8. Click Add.

Facebook

Procedure
  1. Click Identity Providers in the menu.

  2. From the Add provider list, select Facebook.

    Add identity provider

    Add Identity Provider

  3. Copy the value of Redirect URI to your clipboard.

  4. In a separate browser tab, open the Meta for Developers.

    1. Click My Apps.

    2. Select Create App.

      Add a use case

      Add a use case

    3. Select Other.

      Select an app type

      Select an app type

    4. Select Consumer.

      Create an app

      Create an app

    5. Fill in all required fields.

    6. Click Create app. Meta then brings you to the dashboard.

      Add a product

      Add Product

    7. Click Set Up in the Facebook Login box.

    8. Select Web.

    9. Enter the Redirect URI’s value into the Site URL field and click Save.

    10. In the navigation panel, select App settings - Basic.

    11. Click Show in the App Secret field.

    12. Note the App ID and the App Secret.

  5. Enter the App ID and App Secret values from your Facebook app into the Client ID and Client Secret fields in Keycloak.

  6. Click Add

  7. Enter the required scopes into the Default Scopes field. By default, Keycloak uses the email scope. See Graph API for more information about Facebook scopes.

Keycloak sends profile requests to graph.facebook.com/me?fields=id,name,email,first_name,last_name by default. The response contains the id, name, email, first_name, and last_name fields only. To fetch additional fields from the Facebook profile, add a corresponding scope and add the field name in the Additional user’s profile fields configuration option field.

GitHub

To log in with GitHub, perform the following procedure.

Procedure
  1. Click Identity Providers in the menu.

  2. From the Add provider list, select Github.

    Add identity provider

    Add Identity Provider

  3. Copy the value of Redirect URI to your clipboard.

  4. In a separate browser tab, create an OAUTH app.

    1. Enter the value of Redirect URI into the Authorization callback URL field when creating the app.

    2. Note the Client ID and Client secret on the management page of your OAUTH app.

  5. In Keycloak, paste the value of the Client ID into the Client ID field.

  6. In Keycloak, paste the value of the Client secret into the Client Secret field.

  7. Click Add.

GitLab

Procedure
  1. Click Identity Providers in the menu.

  2. From the Add provider list, select GitLab.

    Add identity provider

    Add Identity Provider

  3. Copy the value of Redirect URI to your clipboard.

  4. In a separate browser tab, add a new GitLab application.

    1. Use the Redirect URI in your clipboard as the Redirect URI.

    2. Note the Application ID and Secret when you save the application.

  5. In Keycloak, paste the value of the Application ID into the Client ID field.

  6. In Keycloak, paste the value of the Secret into the Client Secret field.

  7. Click Add.

Google

Procedure
  1. Click Identity Providers in the menu.

  2. From the Add provider list, select Google.

    Add identity provider

    Add Identity Provider

  3. Copy the value of Redirect URI to your clipboard.

  4. In a separate browser tab open the Google Cloud Platform console.

  5. In the Google dashboard for your Google app, in the Navigation menu on the left side, hover over APIs & Services and then click on the OAuth consent screen option. Create a consent screen, ensuring that the user type of the consent screen is External.

  6. In the Google dashboard:

    1. Click the Credentials menu.

    2. Click CREATE CREDENTIALS - OAuth Client ID.

    3. From the Application type list, select Web application.

    4. Use the Redirect URI in your clipboard as the Authorized redirect URIs

    5. Click Create.

    6. Note Your Client ID and Your Client secret.

  7. In Keycloak, paste the value of the Your Client ID into the Client ID field.

  8. In Keycloak, paste the value of the Your Client secret into the Client Secret field.

  9. Click Add

  10. Enter the required scopes into the Default Scopes field. By default, Keycloak uses the following scopes: openid profile email. See the OAuth Playground for a list of Google scopes.

  11. To restrict access to your GSuite organization’s members only, enter the G Suite domain into the Hosted Domain field.

  12. Click Save.

Instagram

Procedure
  1. Click Identity Providers in the menu.

  2. From the Add provider list, select Instagram.

    Add identity provider

    Add Identity Provider

  3. Copy the value of Redirect URI to your clipboard.

  4. In a separate browser tab, open the Meta for Developers.

    1. Click My Apps.

    2. Select Create App.

      Add a use case

      Add a use case

    3. Select Other.

      Select an app type

      Select an app type

    4. Select Consumer.

      Create an app

      Create an app

    5. Fill in all required fields.

    6. Click Create app. Meta then brings you to the dashboard.

    7. In the navigation panel, select App settings - Basic.

    8. Select + Add Platform at the bottom of the page.

    9. Click [Website].

    10. Enter a URL for your site.

      Add a product

      Add Product

    11. Select Dashboard from the menu.

    12. Click Set Up in the Instagram Basic Display box.

    13. Click Create New App.

      Create a New Instagram App ID

      Create a New Instagram App ID

    14. Enter a value into the Display name field.

      Set up the app

      Setup the App

    15. Paste the Redirect URL from Keycloak into the Valid OAuth Redirect URIs field.

    16. Paste the Redirect URL from Keycloak into the Deauthorize Callback URL field.

    17. Paste the Redirect URL from Keycloak into the Data Deletion Request URL field.

    18. Click Show in the Instagram App Secret field.

    19. Note the Instagram App ID and the Instagram App Secret.

    20. Click App Review - Requests.

    21. Follow the instructions on the screen.

  5. In Keycloak, paste the value of the Instagram App ID into the Client ID field.

  6. In Keycloak, paste the value of the Instagram App Secret into the Client Secret field.

  7. Click Add.

LinkedIn

Procedure
  1. Click Identity Providers in the menu.

  2. From the Add provider list, select LinkedIn.

    Add identity provider

    Add Identity Provider

  3. Copy the value of Redirect URI to your clipboard.

  4. In a separate browser tab, create an app in the LinkedIn developer portal.

    1. After you create the app, click the Auth tab.

    2. Enter the value of Redirect URI into the Authorized redirect URLs for your app field.

    3. Note Your Client ID and Your Client Secret.

    4. Click the Products tab and Request access for the Sign In with LinkedIn using OpenID Connect product.

  5. In Keycloak, paste the value of the Client ID into the Client ID field.

  6. In Keycloak, paste the value of the Client Secret into the Client Secret field.

  7. Click Add.

Microsoft

Procedure
  1. Click Identity Providers in the menu.

  2. From the Add provider list, select Microsoft.

    Add identity provider

    Add Identity Provider

  3. Copy the value of Redirect URI to your clipboard.

  4. In a separate browser tab, register an app on Microsoft Azure under App registrations.

    1. In the Redirect URI section, select Web as a platform and paste the value of Redirect URI into the field.

    2. Find you application under App registrations and add a new client secret in the Certificates & secrets section.

    3. Note the Value of the created secret.

    4. Note the Application (client) ID in the Overview section.

  5. In Keycloak, paste the value of the Application (client) ID into the Client ID field.

  6. In Keycloak, paste the Value of the secret into the Client Secret field.

  7. Click Add.

OpenShift 3

Procedure
  1. Click Identity Providers in the menu.

  2. From the Add provider list, select Openshift v3.

    Add identity provider

    Add Identity Provider

  3. Copy the value of Redirect URI to your clipboard.

  4. Register your client using the oc command-line tool.

    $ oc create -f <(echo '
    kind: OAuthClient
    apiVersion: v1
    metadata:
     name: kc-client (1)
    secret: "..." (2)
    redirectURIs:
     - "http://www.example.com/" (3)
    grantMethod: prompt (4)
    ')
1 The name of your OAuth client. Passed as client_id request parameter when making requests to <openshift_master>/oauth/authorize and <openshift_master>/oauth/token.
2 The secret Keycloak uses for the client_secret request parameter.
3 The redirect_uri parameter specified in requests to <openshift_master>/oauth/authorize and <openshift_master>/oauth/token must be equal to (or prefixed by) one of the URIs in redirectURIs. You can obtain this from the Redirect URI field in the Identity Provider screen
4 The grantMethod Keycloak uses to determine the action when this client requests tokens but has not been granted access by the user.
  1. In Keycloak, paste the value of the Client ID into the Client ID field.

  2. In Keycloak, paste the value of the Client Secret into the Client Secret field.

  3. Click Add.

OpenShift 4

Prerequisites
  1. A certificate of the OpenShift 4 instance stored in the Keycloak Truststore.

  2. A Keycloak server configured in order to use the truststore. For more information, see the Configuring a Truststore guide.

Procedure
  1. Click Identity Providers in the menu.

  2. From the Add provider list, select Openshift v4.

  3. Enter the Client ID and Client Secret and in the Base URL field, enter the API URL of your OpenShift 4 instance. Additionally, you can copy the Redirect URI to your clipboard.

    Add identity provider

    Add Identity Provider

  4. Register your client, either via OpenShift 4 Console (Home → API Explorer → OAuth Client → Instances) or using the oc command-line tool.

    $ oc create -f <(echo '
    kind: OAuthClient
    apiVersion: oauth.openshift.io/v1
    metadata:
     name: kc-client (1)
    secret: "..." (2)
    redirectURIs:
     - "<here you can paste the Redirect URI that you copied in the previous step>" (3)
    grantMethod: prompt (4)
    ')
1 The name of your OAuth client. Passed as client_id request parameter when making requests to <openshift_master>/oauth/authorize and <openshift_master>/oauth/token. The name parameter must be the same in the OAuthClient object and the Keycloak configuration.
2 The secret Keycloak uses as the client_secret request parameter.
3 The redirect_uri parameter specified in requests to <openshift_master>/oauth/authorize and <openshift_master>/oauth/token must be equal to (or prefixed by) one of the URIs in redirectURIs. The easiest way to configure it correctly is to copy-paste it from Keycloak OpenShift 4 Identity Provider configuration page (Redirect URI field).
4 The grantMethod Keycloak uses to determine the action when this client requests tokens but has not been granted access by the user.

In the end you should see the OpenShift 4 Identity Provider on the login page of your Keycloak instance. After clicking on it, you should be redirected to the OpenShift 4 login page.

Result

Result

See official OpenShift documentation for more information.

PayPal

Procedure
  1. Click Identity Providers in the menu.

  2. From the Add provider list, select PayPal.

    Add identity provider

    Add Identity Provider

  3. Copy the value of Redirect URI to your clipboard.

  4. In a separate browser tab, open the PayPal Developer applications area.

    1. Click Create App to create a PayPal app.

    2. Note the Client ID and Client Secret. Click the Show link to view the secret.

    3. Ensure Log in with PayPal is checked.

    4. Under Log in with PayPal click on Advanced Settings.

    5. Set the value of the Return URL field to the value of Redirect URI from Keycloak. Note that the URL can not contain localhost. If you want to use Keycloak locally, replace the localhost in the Return URL by 127.0.0.1 and then access Keycloak using 127.0.0.1 in the browser instead of localhost.

    6. Ensure Full Name and Email fields are checked.

    7. Click Save and then Save Changes.

  5. In Keycloak, paste the value of the Client ID into the Client ID field.

  6. In Keycloak, paste the value of the Secret key 1 into the Client Secret field.

  7. Click Add.

Stack Overflow

Procedure
  1. Click Identity Providers in the menu.

  2. From the Add provider list, select Stack Overflow.

    Add identity provider

    Add Identity Provider

  3. In a separate browser tab, log into registering your application on Stack Apps.

    Register application

    Register Application

    1. Enter your application name into the Application Name field.

    2. Enter the OAuth domain into the OAuth Domain field.

    3. Click Register Your Application.

      Settings

      Settings

  4. Note the Client Id, Client Secret, and Key.

  5. In Keycloak, paste the value of the Client Id into the Client ID field.

  6. In Keycloak, paste the value of the Client Secret into the Client Secret field.

  7. In Keycloak, paste the value of the Key into the Key field.

  8. Click Add.

Twitter

Prerequisites
  1. A Twitter developer account.

Procedure
  1. Click Identity Providers in the menu.

  2. From the Add provider list, select Twitter.

    Add identity provider

    Add Identity Provider

  3. Copy the value of Redirect URI to your clipboard.

  4. In a separate browser tab, create an app in Twitter Application Management.

    1. Enter App name and click Next.

    2. Note the value of API Key and API Key Secret and click App settings.

    3. In the User authentication settings section click on the Set up button.

    4. Select Web App as the Type of App.

    5. Paste the value of the Redirect URL into the Callback URI / Redirect URL field.

    6. The value for Website URL can be any valid URL except localhost.

    7. Click Save and then Done.

  5. In Keycloak, paste the value of the API Key into the Client ID field.

  6. In Keycloak, paste the value of the API Key Secret into the Client Secret field.

  7. Click Add.

OpenID Connect v1.0 identity providers

Keycloak brokers identity providers based on the OpenID Connect protocol. These identity providers (IDPs) must support the Authorization Code Flow defined in the specification to authenticate users and authorize access.

Procedure
  1. Click Identity Providers in the menu.

  2. From the Add provider list, select OpenID Connect v1.0.

    Add identity provider

    Add Identity Provider

  3. Enter your initial configuration options. See General IDP Configuration for more information about configuration options.

    Table 2. OpenID connect config
    Configuration Description

    Authorization URL

    The authorization URL endpoint the OIDC protocol requires.

    Token URL

    The token URL endpoint the OIDC protocol requires.

    Logout URL

    The logout URL endpoint in the OIDC protocol. This value is optional.

    Backchannel Logout

    A background, out-of-band, REST request to the IDP to log out the user. Some IDPs perform logout through browser redirects only, as they may identify sessions using a browser cookie.

    User Info URL

    An endpoint the OIDC protocol defines. This endpoint points to user profile information.

    Client Authentication

    Defines the Client Authentication method Keycloak uses with the Authorization Code Flow. In the case of JWT signed with a private key, Keycloak uses the realm private key. In the other cases, define a client secret. See the Client Authentication specifications for more information.

    Client ID

    A realm acting as an OIDC client to the external IDP. The realm must have an OIDC client ID if you use the Authorization Code Flow to interact with the external IDP.

    Client Secret

    Client secret from an external vault. This secret is necessary if you are using the Authorization Code Flow.

    Client Assertion Signature Algorithm

    Signature algorithm to create JWT assertion as client authentication. In the case of JWT signed with private key or Client secret as jwt, it is required. If no algorithm is specified, the following algorithm is adapted. RS256 is adapted in the case of JWT signed with private key. HS256 is adapted in the case of Client secret as jwt.

    Client Assertion Audience

    The audience to use for the client assertion. The default value is the IDP’s token endpoint URL.

    Issuer

    Keycloak validates issuer claims, in responses from the IDP, against this value.

    Default Scopes

    A list of OIDC scopes Keycloak sends with the authentication request. The default value is openid. A space separates each scope.

    Prompt

    The prompt parameter in the OIDC specification. Through this parameter, you can force re-authentication and other options. See the specification for more details.

    Accepts prompt=none forward from client

    Specifies if the IDP accepts forwarded authentication requests containing the prompt=none query parameter. If a realm receives an auth request with prompt=none, the realm checks if the user is currently authenticated and returns a login_required error if the user has not logged in. When Keycloak determines a default IDP for the auth request (using the kc_idp_hint query parameter or having a default IDP for the realm), you can forward the auth request with prompt=none to the default IDP. The default IDP checks the authentication of the user there. Because not all IDPs support requests with prompt=none, Keycloak uses this switch to indicate that the default IDP supports the parameter before redirecting the authentication request.

    If the user is unauthenticated in the IDP, the client still receives a login_required error. If the user is authentic in the IDP, the client can still receive an interaction_required error if Keycloak must display authentication pages that require user interaction. This authentication includes required actions (for example, password change), consent screens, and screens set to display by the first broker login flow or post broker login flow.

    Validate Signatures

    Specifies if Keycloak verifies signatures on the external ID Token signed by this IDP. If ON, Keycloak must know the public key of the external OIDC IDP. For performance purposes, Keycloak caches the public key of the external OIDC identity provider.

    Use JWKS URL

    This switch is applicable if Validate Signatures is ON. If Use JWKS URL is ON, Keycloak downloads the IDP’s public keys from the JWKS URL. New keys download when the identity provider generates a new keypair. If OFF, Keycloak uses the public key (or certificate) from its database, so when the IDP keypair changes, import the new key to the Keycloak database as well.

    JWKS URL

    The URL pointing to the location of the IDP JWK keys. For more information, see the JWK specification. If you use an external Keycloak as an IDP, you can use a URL such as http://broker-keycloak:8180/realms/test/protocol/openid-connect/certs if your brokered Keycloak is running on http://broker-keycloak:8180 and its realm is test.

    Validating Public Key

    The public key in PEM format that Keycloak uses to verify external IDP signatures. This key applies if Use JWKS URL is OFF.

    Validating Public Key Id

    This setting applies if Use JWKS URL is OFF. This setting specifies the ID of the public key in PEM format. Because there is no standard way for computing key ID from the key, external identity providers can use different algorithms from what Keycloak uses. If this field’s value is not specified, Keycloak uses the validating public key for all requests, regardless of the key ID sent by the external IDP. When ON, this field’s value is the key ID used by Keycloak for validating signatures from providers and must match the key ID specified by the IDP.

You can import all this configuration data by providing a URL or file that points to OpenID Provider Metadata. If you connect to a Keycloak external IDP, you can import the IDP settings from <root>/realms/{realm-name}/.well-known/openid-configuration. This link is a JSON document describing metadata about the IDP.

If you want to use Json Web Encryption (JWE) ID Tokens or UserInfo responses in the provider, the IDP needs to know the public key to use with Keycloak. The provider uses the realm keys defined for the different encryption algorithms to decrypt the tokens. Keycloak provides a standard JWKS endpoint which the IDP can use for downloading the keys automatically.

SAML v2.0 Identity Providers

Keycloak can broker identity providers based on the SAML v2.0 protocol.

Procedure
  1. Click Identity Providers in the menu.

  2. From the Add provider list, select SAML v2.0.

    Add identity provider

    Add Identity Provider

  3. Enter your initial configuration options. See General IDP Configuration for more information about configuration options.

Table 3. SAML Config
Configuration Description

Service Provider Entity ID

The SAML Entity ID that the remote Identity Provider uses to identify requests from this Service Provider. By default, this setting is set to the realms base URL <root>/realms/{realm-name}.

Identity Provider Entity ID

The Entity ID used to validate the Issuer for received SAML assertions. If empty, no Issuer validation is performed.

Single Sign-On Service URL

The SAML endpoint that starts the authentication process. If your SAML IDP publishes an IDP entity descriptor, the value of this field is specified there.

Artifact service URL

The SAML artifact resolution endpoint. If your SAML IDP publishes an IDP entity descriptor, the value of this field is specified there.

Single Logout Service URL

The SAML logout endpoint. If your SAML IDP publishes an IDP entity descriptor, the value of this field is specified there.

Backchannel Logout

Toggle this switch to ON if your SAML IDP supports back channel logout.

NameID Policy Format

The URI reference corresponding to a name identifier format. By default, Keycloak sets it to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

Principal Type

Specifies which part of the SAML assertion will be used to identify and track external user identities. Can be either Subject NameID or SAML attribute (either by name or by friendly name). Subject NameID value can not be set together with 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' NameID Policy Format value.

Principal Attribute

If a Principal type is non-blank, this field specifies the name ("Attribute [Name]") or the friendly name ("Attribute [Friendly Name]") of the identifying attribute.

Allow create

Allow the external identity provider to create a new identifier to represent the principal.

HTTP-POST Binding Response

Controls the SAML binding in response to any SAML requests sent by an external IDP. When OFF, Keycloak uses Redirect Binding.

ARTIFACT Binding Response

Controls the SAML binding in response to any SAML requests sent by an external IDP. When OFF, Keycloak evaluates the HTTP-POST Binding Response configuration.

HTTP-POST Binding for AuthnRequest

Controls the SAML binding when requesting authentication from an external IDP. When OFF, Keycloak uses Redirect Binding.

Want AuthnRequests Signed

When ON, Keycloak uses the realm’s keypair to sign requests sent to the external SAML IDP.

Want Assertions Signed

Indicates whether this service provider expects a signed Assertion.

Want Assertions Encrypted

Indicates whether this service provider expects an encrypted Assertion.

Signature Algorithm

If Want AuthnRequests Signed is ON, the signature algorithm to use. Note that SHA1 based algorithms are deprecated and may be removed in a future release. We recommend to use some more secure algorithm instead of *_SHA1. Also, with *_SHA1 algorithms, verifying signatures do not work if the SAML identity provider (for example another instance of Keycloak) runs on Java 17 or higher.

Encryption Algorithm

Encryption algorithm, which is used by SAML IDP for encryption of SAML documents, assertions, or IDs. The corresponding decryption key for decrypt SAML document parts will be chosen based on this configured algorithm and should be available in realm keys for the encryption (ENC) usage. If the algorithm is not configured, any supported algorithm is allowed and a decryption key will be chosen based on the algorithm specified in SAML document itself.

SAML Signature Key Name

Signed SAML documents sent using POST binding contain the identification of signing key in KeyName element, which, by default, contains the Keycloak key ID. External SAML IDPs can expect a different key name. This switch controls whether KeyName contains: * KEY_ID - Key ID. * CERT_SUBJECT - the subject from the certificate corresponding to the realm key. Microsoft Active Directory Federation Services expect CERT_SUBJECT. * NONE - Keycloak omits the key name hint from the SAML message.

Force Authentication

The user must enter their credentials at the external IDP even when the user is already logged in.

Validate Signature

When ON, the realm expects SAML requests and responses from the external IDP to be digitally signed.

Metadata descriptor URL

External URL where Identity Provider publishes the IDPSSODescriptor metadata. This URL is used to download the Identity Provider certificates when the Reload keys or Import keys actions are clicked.

Use metadata descriptor URL

When ON, the certificates to validate signatures are automatically downloaded from the Metadata descriptor URL and cached in Keycloak. The SAML provider can validate signatures in two different ways. If a specific certificate is requested (usually in POST binding) and it is not in the cache, certificates are automatically refreshed from the URL. If all certificates are requested to validate the signature (REDIRECT binding) the refresh is only done after a max cache time (see public-key-storage spi in the all provider config guide for more information about how the cache works). The cache can also be manually updated using the action Reload Keys in the identity provider page.

When the option is OFF, the certificates in Validating X509 Certificates are used to validate signatures.

Validating X509 Certificates

The public certificates Keycloak uses to validate the signatures of SAML requests and responses from the external IDP when Use metadata descriptor URL is OFF. Multiple certificates can be entered separated by comma (,). The certificates can be re-imported from the Metadata descriptor URL clicking the Import Keys action in the identity provider page. The action downloads the current certificates in the metadata endpoint and assigns them to the config in this same option. You need to click Save to definitely store the re-imported certificates.

Sign Service Provider Metadata

When ON, Keycloak uses the realm’s key pair to sign the SAML Service Provider Metadata descriptor.

Pass subject

Controls if Keycloak forwards a login_hint query parameter to the IDP. Keycloak adds this field’s value to the login_hint parameter in the AuthnRequest’s Subject so destination providers can pre-fill their login form.

Attribute Consuming Service Index

Identifies the attribute set to request to the remote IDP. Keycloak automatically adds the attributes mapped in the identity provider configuration to the autogenerated SP metadata document.

Attribute Consuming Service Name

A descriptive name for the set of attributes that are advertised in the autogenerated SP metadata document.

You can import all configuration data by providing a URL or a file pointing to the SAML IDP entity descriptor of the external IDP. If you are connecting to a Keycloak external IDP, you can import the IDP settings from the URL <root>/realms/{realm-name}/protocol/saml/descriptor. This link is an XML document describing metadata about the IDP. You can also import all this configuration data by providing a URL or XML file pointing to the external SAML IDP’s entity descriptor to connect to.

Requesting specific AuthnContexts

Identity Providers facilitate clients specifying constraints on the authentication method verifying the user identity. For example, asking for MFA, Kerberos authentication, or security requirements. These constraints use particular AuthnContext criteria. A client can ask for one or more criteria and specify how the Identity Provider must match the requested AuthnContext, exactly, or by satisfying other equivalents.

You can list the criteria your Service Provider requires by adding ClassRefs or DeclRefs in the Requested AuthnContext Constraints section. Usually, you need to provide either ClassRefs or DeclRefs, so check with your Identity Provider documentation which values are supported. If no ClassRefs or DeclRefs are present, the Identity Provider does not enforce additional constraints.

Table 4. Requested AuthnContext Constraints
Configuration Description

Comparison

The method the Identity Provider uses to evaluate the context requirements. The available values are Exact, Minimum, Maximum, or Better. The default value is Exact.

AuthnContext ClassRefs

The AuthnContext ClassRefs describing the required criteria.

AuthnContext DeclRefs

The AuthnContext DeclRefs describing the required criteria.

SP Descriptor

When you access the provider’s SAML SP metadata, look for the Endpoints item in the identity provider configuration settings. It contains a SAML 2.0 Service Provider Metadata link which generates the SAML entity descriptor for the Service Provider. You can download the descriptor or copy its URL and then import it into the remote Identity Provider.

This metadata is also available publicly by going to the following URL:

http[s]://{host:port}/realms/{realm-name}/broker/{broker-alias}/endpoint/descriptor

Ensure you save any configuration changes before accessing the descriptor.

Send subject in SAML requests

By default, a social button pointing to a SAML Identity Provider redirects the user to the following login URL:

http[s]://{host:port}/realms/${realm-name}/broker/{broker-alias}/login

Adding a query parameter named login_hint to this URL adds the parameter’s value to SAML request as a Subject attribute. If this query parameter is empty, Keycloak does not add a subject to the request.

Enable the "Pass subject" option to send the subject in SAML requests.

Client-suggested Identity Provider

OIDC applications can bypass the Keycloak login page by hinting at the identity provider they want to use. You can enable this by setting the kc_idp_hint query parameter in the Authorization Code Flow authorization endpoint.

With Keycloak OIDC client adapters, you can specify this query parameter when you access a secured resource in the application.

For example:

GET /myapplication.com?kc_idp_hint=facebook HTTP/1.1
Host: localhost:8080

In this case, your realm must have an identity provider with a facebook alias. If this provider does not exist, the login form is displayed.

If you are using the JavaScript adapter, you can also achieve the same behavior as follows:

const keycloak = new Keycloak({
        url: "http://keycloak-server",
        realm: "my-realm",
        clientId: "my-app"
);

await keycloak.createLoginUrl({
        idpHint: 'facebook'
});

With the kc_idp_hint query parameter, the client can override the default identity provider if you configure one for the Identity Provider Redirector authenticator. The client can disable the automatic redirecting by setting the kc_idp_hint query parameter to an empty value.

Mapping claims and assertions

You can import the SAML and OpenID Connect metadata, provided by the external IDP you are authenticating with, into the realm. After importing, you can extract user profile metadata and other information, so you can make it available to your applications.

Each user logging into your realm using an external identity provider has an entry in the local Keycloak database, based on the metadata from the SAML or OIDC assertions and claims.

Procedure
  1. Click Identity Providers in the menu.

  2. Select one of the identity providers in the list.

  3. Click the Mappers tab.

    Identity provider mappers

    identity provider mappers

  4. Click Add mapper.

    Identity provider mapper

    identity provider mapper

  5. Select a value for Sync Mode Override. The mapper updates user information when users log in repeatedly according to this setting.

    1. Select legacy to use the behavior of the previous Keycloak version.

    2. Select import to import data from when the user was first created in Keycloak during the first login to Keycloak with a particular identity provider.

    3. Select force to update user data at each user login.

    4. Select inherit to use the sync mode configured in the identity provider. All other options will override this sync mode.

  6. Select a mapper from the Mapper Type list. Hover over the Mapper Type for a description of the mapper and configuration to enter for the mapper.

  7. Click Save.

For JSON-based claims, you can use dot notation for nesting and square brackets to access array fields by index. For example, contact.address[0].country.

To investigate the structure of user profile JSON data provided by social providers, you can enable the DEBUG level logger org.keycloak.social.user_profile_dump when starting the server.

Available user session data

After a user login from an external IDP, Keycloak stores user session note data that you can access. This data can be propagated to the client requesting log in using the token or SAML assertion passed back to the client using an appropriate client mapper.

identity_provider

The IDP alias of the broker used to perform the login.

identity_provider_identity

The IDP username of the currently authenticated user. Often, but not always, the same as the Keycloak username. For example, Keycloak can link a user john` to a Facebook user john123@gmail.com. In that case, the value of the user session note is john123@gmail.com.

You can use a Protocol Mapper of type User Session Note to propagate this information to your clients.

First login flow

When users log in through identity brokering, Keycloak imports and links aspects of the user within the realm’s local database. When Keycloak successfully authenticates users through an external identity provider, two situations can exist:

  • Keycloak has already imported and linked a user account with the authenticated identity provider account. In this case, Keycloak authenticates as the existing user and redirects back to the application.

  • No account exists for this user in Keycloak. Usually, you register and import a new account into the Keycloak database, but there may be an existing Keycloak account with the same email address. Automatically linking the existing local account to the external identity provider is a potential security hole. You cannot always trust the information you get from the external identity provider.

Different organizations have different requirements when dealing with some of these situations. With Keycloak, you can use the First Login Flow option in the IDP settings to choose a workflow for a user logging in from an external IDP for the first time. By default, the First Login Flow option points to the first broker login flow, but you can use your flow or different flows for different identity providers.

The flow is in the Admin Console under the Authentication tab. When you choose the First Broker Login flow, you see the authenticators used by default. You can re-configure the existing flow. For example, you can disable some authenticators, mark some of them as required, or configure some authenticators.

You can also create a new authentication flow, write your own Authenticator implementations, and use it in your flow. See Server Developer Guide for more information.

Default first login flow authenticators

Review Profile
  • This authenticator displays the profile information page, so the users can review their profile that Keycloak retrieves from an identity provider.

  • You can set the Update Profile On First Login option in the Actions menu.

  • When ON, users are presented with the profile page requesting additional information to federate the user’s identities.

  • When missing, users are presented with the profile page if the identity provider does not provide mandatory information, such as email, first name, or last name.

  • When OFF, the profile page does not display unless the user clicks in a later phase on the Review profile info link in the page displayed by the Confirm Link Existing Account authenticator.

Create User If Unique

This authenticator checks if there is already an existing Keycloak account with the same email or username like the account from the identity provider. If it’s not, then the authenticator just creates a new local Keycloak account and links it with the identity provider and the whole flow is finished. Otherwise it goes to the next Handle Existing Account subflow. If you always want to ensure that there is no duplicated account, you can mark this authenticator as REQUIRED. In this case, the user will see the error page if there is an existing Keycloak account and the user will need to link the identity provider account through Account management.

  • This authenticator verifies that there is already a Keycloak account with the same email or username as the identity provider’s account.

  • If an account does not exist, the authenticator creates a local Keycloak account, links this account with the identity provider, and terminates the flow.

  • If an account exists, the authenticator implements the next Handle Existing Account sub-flow.

  • To ensure there is no duplicated account, you can mark this authenticator as REQUIRED. The user sees the error page if a Keycloak account exists, and users must link their identity provider account through Account management.

Confirm Link Existing Account
  • On the information page, users see a Keycloak account with the same email. Users can review their profile again and use a different email or username. The flow restarts and goes back to the Review Profile authenticator.

  • Alternatively, users can confirm that they want to link their identity provider account with their existing Keycloak account.

  • Disable this authenticator if you do not want users to see this confirmation page and go straight to linking identity provider account by email verification or re-authentication.

Verify Existing Account By Email
  • This authenticator is ALTERNATIVE by default. Keycloak uses this authenticator if the realm has an SMTP setup configured.

  • The authenticator sends an email to users to confirm that they want to link the identity provider with their Keycloak account.

  • Disable this authenticator if you do not want to confirm linking by email, but want users to reauthenticate with their password.

Verify Existing Account By Re-authentication
  • Use this authenticator if the email authenticator is not available. For example, you have not configured SMTP for your realm. This authenticator displays a login screen for users to authenticate to link their Keycloak account with the Identity Provider.

  • Users can also re-authenticate with another identity provider already linked to their Keycloak account.

  • You can force users to use OTP. Otherwise, it is optional and used if you have set OTP for the user account.

The AutoLink authenticator is dangerous in a generic environment where users can register themselves using arbitrary usernames or email addresses. Do not use this authenticator unless you are carefully curating user registration and assigning usernames and email addresses.

To configure a first login flow that links users automatically without prompting, create a new flow with the following two authenticators:

Create User If Unique

This authenticator ensures Keycloak handles unique users. Set the authenticator requirement to Alternative.

Automatically Set Existing User

This authenticator sets an existing user to the authentication context without verification. Set the authenticator requirement to "Alternative".

This setup is the simplest setup available, but it is possible to use other authenticators. For example: * You can add the Review Profile authenticator to the beginning of the flow if you want end users to confirm their profile information. * You can add authentication mechanisms to this flow, forcing a user to verify their credentials. Adding authentication mechanisms requires a complex flow. For example, you can set the "Automatically Set Existing User" and "Password Form" as "Required" in an "Alternative" sub-flow.

Disabling automatic user creation

The Default first login flow looks up the Keycloak account matching the external identity and offers to link them. If no matching Keycloak account exists, the flow automatically creates one.

This default behavior may be unsuitable for some setups. One example is when you use a read-only LDAP user store, where all users are pre-created. In this case, you must switch off automatic user creation.

To disable user creation:

Procedure
  1. Click Authentication in the menu.

  2. Select First Broker Login from the list.

  3. Set Create User If Unique to DISABLED.

  4. Set Confirm Link Existing Account to DISABLED.

This configuration also implies that Keycloak itself won’t be able to determine which internal account would correspond to the external identity. Therefore, the Verify Existing Account By Re-authentication authenticator will ask the user to provide both username and password.

Enabling or disabling user creation by identity provider is completely independent on the realm User Registration switch. You can have enabled user-creation by identity provider and at the same time disabled user self-registration in the realm login settings or vice-versa.

Detect existing user first login flow

In order to configure a first login flow in which:

  • only users already registered in this realm can log in,

  • users are automatically linked without being prompted,

create a new flow with the following two authenticators:

Detect Existing Broker User

This authenticator ensures that unique users are handled. Set the authenticator requirement to REQUIRED.

Automatically Set Existing User

Automatically sets an existing user to the authentication context without any verification. Set the authenticator requirement to REQUIRED.

You have to set the First Login Flow of the identity provider configuration to that flow. You could set the also set Sync Mode to force if you want to update the user profile (Last Name, First Name…​) with the identity provider attributes.

This flow can be used if you want to delegate the identity to other identity providers (such as GitHub, Facebook …​) but you want to manage which users that can log in.

With this configuration, Keycloak is unable to determine which internal account corresponds to the external identity. The Verify Existing Account By Re-authentication authenticator asks the provider for the username and password.

When an another account needs to be linked to the same Keycloak account within the same identity provider, you can configure the following authenticator.

Confirm Override Existing Link

This authenticator will detect the existing broker link for the user and display a confirmation page to confirm overriding the existing broker link. Set the authenticator requirement to REQUIRED.

A typical use of this authenticator is a scenario such as the following:

  • For example, consider a Keycloak user john with the email john@gmail.com. That user is linked to the identity provider google with the google username john@gmail.com .

  • Then for instance Keycloak user john creates new Google account with email john-new@gmail.com

  • Then during login to Keycloak, the user authenticated to the identity provider google with a new username such as john-new@gmail.com, which is not linked to any Keycloak account yet (as Keycloak account john is still linked with the google user john@gmail.com) and hence the first-broker-login flow is triggered.

  • During first-broker-login, the Keycloak user john is authenticated somehow (either by default first-broker-login re-authentication or for instance by authenticator like Detect existing broker user)

  • Now with this authenticator in the authentication flow, it is possible to override the IDP link to the google identity provider of Keycloak user john with the new google link to google user john-new@gmail.com after user john confirms this.

When creating authentication flows with this authenticator, make sure to add this authenticator once other authenticators that are already established the Keycloak user by other means (either by re-authentication or after Detect existing broker user as mentioned above.

Retrieving external IDP tokens

With Keycloak, you can store tokens and responses from the authentication process with the external IDP using the Store Token configuration option on the IDP’s settings page.

Application code can retrieve these tokens and responses to import extra user information or to request the external IDP securely. For example, an application can use the Google token to use other Google services and REST APIs. To retrieve a token for a particular identity provider, send a request as follows:

GET /realms/{realm}/broker/{provider_alias}/token HTTP/1.1
Host: localhost:8080
Authorization: Bearer <KEYCLOAK ACCESS TOKEN>

An application must authenticate with Keycloak and receive an access token. This access token must have the broker client-level role read-token set, so the user must have a role mapping for this role, and the client application must have that role within its scope. In this case, since you are accessing a protected service in Keycloak, send the access token issued by Keycloak during the user authentication. You can assign this role to newly imported users in the broker configuration page by setting the Stored Tokens Readable switch to ON.

These external tokens can be re-established by logging in again through the provider or using the client-initiated account linking API.

Identity broker logout

When logging out, Keycloak sends a request to the external identity provider that is used to log in initially and logs the user out of this identity provider.

SSO protocols

This section discusses authentication protocols, the Keycloak authentication server and how applications, secured by the Keycloak authentication server, interact with these protocols.

OpenID Connect

OpenID Connect (OIDC) is an authentication protocol that is an extension of OAuth 2.0.

OAuth 2.0 is a framework for building authorization protocols and is incomplete. OIDC, however, is a full authentication and authorization protocol that uses the Json Web Token (JWT) standards. The JWT standards define an identity token JSON format and methods to digitally sign and encrypt data in a compact and web-friendly way.

In general, OIDC implements two use cases. The first case is an application requesting that a Keycloak server authenticates a user. Upon successful login, the application receives an identity token and an access token. The identity token contains user information including user name, email, and profile information. The realm digitally signs the access token which contains access information (such as user role mappings) that applications use to determine the resources users can access in the application.

The second use case is a client accessing remote services.

  • The client requests an access token from Keycloak to invoke on remote services on behalf of the user.

  • Keycloak authenticates the user and asks the user for consent to grant access to the requesting client.

  • The client receives the access token which is digitally signed by the realm.

  • The client makes REST requests on remote services using the access token.

  • The remote REST service extracts the access token.

  • The remote REST service verifies the tokens signature.

  • The remote REST service decides, based on access information within the token, to process or reject the request.

OIDC auth flows

OIDC has several methods, or flows, that clients or applications can use to authenticate users and receive identity and access tokens. The method depends on the type of application or client requesting access.

Authorization Code Flow

The Authorization Code Flow is a browser-based protocol and suits authenticating and authorizing browser-based applications. It uses browser redirects to obtain identity and access tokens.

  1. A user connects to an application using a browser. The application detects the user is not logged into the application.

  2. The application redirects the browser to Keycloak for authentication.

  3. The application passes a callback URL as a query parameter in the browser redirect. Keycloak uses the parameter upon successful authentication.

  4. Keycloak authenticates the user and creates a one-time, short-lived, temporary code.

  5. Keycloak redirects to the application using the callback URL and adds the temporary code as a query parameter in the callback URL.

  6. The application extracts the temporary code and makes a background REST invocation to Keycloak to exchange the code for an identity and access and refresh token. To prevent replay attacks, the temporary code cannot be used more than once.

A system is vulnerable to a stolen token for the lifetime of that token. For security and scalability reasons, access tokens are generally set to expire quickly so subsequent token requests fail. If a token expires, an application can obtain a new access token using the additional refresh token sent by the login protocol.

Confidential clients provide client secrets when they exchange the temporary codes for tokens. Public clients are not required to provide client secrets. Public clients are secure when HTTPS is strictly enforced and redirect URIs registered for the client are strictly controlled. HTML5/JavaScript clients have to be public clients because there is no way to securely transmit the client secret to HTML5/JavaScript clients. For more details, see the Managing Clients chapter.

Keycloak also supports the Proof Key for Code Exchange specification.

Implicit Flow

The Implicit Flow is a browser-based protocol. It is similar to the Authorization Code Flow but with fewer requests and no refresh tokens.

The possibility exists of access tokens leaking in the browser history when tokens are transmitted via redirect URIs (see below).

Also, this flow does not provide clients with refresh tokens. Therefore, access tokens have to be long-lived or users have to re-authenticate when they expire.

We do not advise using this flow. This flow is supported because it is in the OIDC and OAuth 2.0 specification.

The protocol works as follows:

  1. A user connects to an application using a browser. The application detects the user is not logged into the application.

  2. The application redirects the browser to Keycloak for authentication.

  3. The application passes a callback URL as a query parameter in the browser redirect. Keycloak uses the query parameter upon successful authentication.

  4. Keycloak authenticates the user and creates an identity and access token. Keycloak redirects to the application using the callback URL and additionally adds the identity and access tokens as a query parameter in the callback URL.

  5. The application extracts the identity and access tokens from the callback URL.

Resource owner password credentials grant (Direct Access Grants)

Direct Access Grants are used by REST clients to obtain tokens on behalf of users. It is a HTTP POST request that contains:

  • The credentials of the user. The credentials are sent within form parameters.

  • The id of the client.

  • The clients secret (if it is a confidential client).

The HTTP response contains the identity, access, and refresh tokens.

Client credentials grant

The Client Credentials Grant creates a token based on the metadata and permissions of a service account associated with the client instead of obtaining a token that works on behalf of an external user. Client Credentials Grants are used by REST clients.

See the Service Accounts chapter for more information.

Refresh token grant

By default, Keycloak returns refresh tokens in the token responses from most of the flows. Some exceptions are implicit flow or client credentials grant described above.

Refresh token is tied to the user session of the SSO browser session and can be valid for the lifetime of the user session. However, that client should send a refresh-token request at least once per specified interval. Otherwise, the session can be considered "idle" and can expire. See the timeouts section for more information.

Keycloak supports offline tokens, which can be used typically when client needs to use refresh token even if corresponding browser SSO session is already expired.

Refresh token rotation

It is possible to specify that the refresh token is considered invalid once it is used. This means that client must always save the refresh token from the last refresh response because older refresh tokens, which were already used, would not be considered valid anymore by Keycloak. This is possible to set with the use of Revoke Refresh token option as specified in the timeouts section.

Keycloak also supports the situation that no refresh token rotation exists. In this case, a refresh token is returned during login, but subsequent responses from refresh-token requests will not return new refresh tokens. This practice is recommended for instance in the FAPI 2 draft specification in the securing apps section. In Keycloak, it is possible to skip refresh token rotation with the use of client policies. You can add executor suppress-refresh-token-rotation to some client profile and configure client policy to specify for which clients would be the profile triggered, which means that for those clients the refresh token rotation is going to be skipped.

Device authorization grant

This is used by clients running on internet-connected devices that have limited input capabilities or lack a suitable browser. Here’s a brief summary of the protocol:

  1. The application requests Keycloak a device code and a user code. Keycloak creates a device code and a user code. Keycloak returns a response including the device code and the user code to the application.

  2. The application provides the user with the user code and the verification URI. The user accesses a verification URI to be authenticated by using another browser. You could define a short verification_uri that will be redirected to Keycloak verification URI (/realms/realm_name/device)outside Keycloak - fe in a proxy.

  3. The application repeatedly polls Keycloak to find out if the user completed the user authorization. If user authentication is complete, the application exchanges the device code for an identity, access and refresh token.

Client initiated backchannel authentication grant

This feature is used by clients who want to initiate the authentication flow by communicating with the OpenID Provider directly without redirect through the user’s browser like OAuth 2.0’s authorization code grant. Here’s a brief summary of the protocol:

  1. The client requests Keycloak an auth_req_id that identifies the authentication request made by the client. Keycloak creates the auth_req_id.

  2. After receiving this auth_req_id, this client repeatedly needs to poll Keycloak to obtain an Access Token, Refresh Token and ID Token from Keycloak in return for the auth_req_id until the user is authenticated.

An administrator can configure Client Initiated Backchannel Authentication (CIBA) related operations as CIBA Policy per realm.

Also please refer to other places of Keycloak documentation like Backchannel Authentication Endpoint and Client Initiated Backchannel Authentication Grant in the securing apps section.

CIBA Policy

An administrator carries out the following operations on the Admin Console :

  • Open the Authentication → CIBA Policy tab.

  • Configure items and click Save.

The configurable items and their description follow.

Configuration Description

Backchannel Token Delivery Mode

Specifying how the CD (Consumption Device) gets the authentication result and related tokens. There are three modes, "poll", "ping" and "push". Keycloak only supports "poll". The default setting is "poll". This configuration is required. For more details, see CIBA Specification.

Expires In

The expiration time of the "auth_req_id" in seconds since the authentication request was received. The default setting is 120. This configuration is required. For more details, see CIBA Specification.

Interval

The interval in seconds the CD (Consumption Device) needs to wait for between polling requests to the token endpoint. The default setting is 5. This configuration is optional. For more details, see CIBA Specification.

Authentication Requested User Hint

The way of identifying the end-user for whom authentication is being requested. The default setting is "login_hint". There are three modes, "login_hint", "login_hint_token" and "id_token_hint". Keycloak only supports "login_hint". This configuration is required. For more details, see CIBA Specification.

Provider Setting

The CIBA grant uses the following two providers.

  1. Authentication Channel Provider : provides the communication between Keycloak and the entity that actually authenticates the user via AD (Authentication Device).

  2. User Resolver Provider : get UserModel of Keycloak from the information provided by the client to identify the user.

Keycloak has both default providers. However, the administrator needs to set up Authentication Channel Provider like this:

kc.[sh|bat] start --spi-ciba-auth-channel-ciba-http-auth-channel-http-authentication-channel-uri=https://backend.internal.example.com

The configurable items and their description follow.

Configuration Description

http-authentication-channel-uri

Specifying URI of the entity that actually authenticates the user via AD (Authentication Device).

Authentication Channel Provider

CIBA standard document does not specify how to authenticate the user by AD. Therefore, it might be implemented at the discretion of products. Keycloak delegates this authentication to an external authentication entity. To communicate with the authentication entity, Keycloak provides Authentication Channel Provider.

Its implementation of Keycloak assumes that the authentication entity is under the control of the administrator of Keycloak so that Keycloak trusts the authentication entity. It is not recommended to use the authentication entity that the administrator of Keycloak cannot control.

Authentication Channel Provider is provided as SPI provider so that users of Keycloak can implement their own provider in order to meet their environment. Keycloak provides its default provider called HTTP Authentication Channel Provider that uses HTTP to communicate with the authentication entity.

If a user of Keycloak user want to use the HTTP Authentication Channel Provider, they need to know its contract between Keycloak and the authentication entity consisting of the following two parts.

Authentication Delegation Request/Response

Keycloak sends an authentication request to the authentication entity.

Authentication Result Notification/ACK

The authentication entity notifies the result of the authentication to Keycloak.

Authentication Delegation Request/Response consists of the following messaging.

Authentication Delegation Request

The request is sent from Keycloak to the authentication entity to ask it for user authentication by AD.

POST [delegation_reception]
  • Headers

Name Value Description

Content-Type

application/json

The message body is json formatted.

Authorization

Bearer [token]

The [token] is used when the authentication entity notifies the result of the authentication to Keycloak.

  • Parameters

Type Name Description

Path

delegation_reception

The endpoint provided by the authentication entity to receive the delegation request

  • Body

Name Description

login_hint

It tells the authentication entity who is authenticated by AD.
By default, it is the user’s "username".
This field is required and was defined by CIBA standard document.

scope

It tells which scopes the authentication entity gets consent from the authenticated user.
This field is required and was defined by CIBA standard document.

is_consent_required

It shows whether the authentication entity needs to get consent from the authenticated user about the scope.
This field is required.

binding_message

Its value is intended to be shown in both CD and AD’s UI to make the user recognize that the authentication by AD is triggered by CD.
This field is optional and was defined by CIBA standard document.

acr_values

It tells the requesting Authentication Context Class Reference from CD.
This field is optional and was defined by CIBA standard document.

Authentication Delegation Response

The response is returned from the authentication entity to Keycloak to notify that the authentication entity received the authentication request from Keycloak.

  • Responses

HTTP Status Code Description

201

It notifies Keycloak of receiving the authentication delegation request.

Authentication Result Notification/ACK consists of the following messaging.

Authentication Result Notification

The authentication entity sends the result of the authentication request to Keycloak.

POST /realms/[realm]/protocol/openid-connect/ext/ciba/auth/callback
  • Headers

Name Value Description

Content-Type

application/json

The message body is json formatted.

Authorization

Bearer [token]

The [token] must be the one the authentication entity has received from Keycloak in Authentication Delegation Request.

  • Parameters

Type Name Description

Path

realm

The realm name

  • Body

Name Description

status

It tells the result of user authentication by AD.
It must be one of the following status.
SUCCEED : The authentication by AD has been successfully completed.
UNAUTHORIZED : The authentication by AD has not been completed.
CANCELLED : The authentication by AD has been cancelled by the user.

Authentication Result ACK

The response is returned from Keycloak to the authentication entity to notify Keycloak received the result of user authentication by AD from the authentication entity.

  • Responses

HTTP Status Code Description

200

It notifies the authentication entity of receiving the notification of the authentication result.

User Resolver Provider

Even if the same user, its representation may differ in each CD, Keycloak and the authentication entity.

For CD, Keycloak and the authentication entity to recognize the same user, this User Resolver Provider converts their own user representations among them.

User Resolver Provider is provided as SPI provider so that users of Keycloak can implement their own provider in order to meet their environment. Keycloak provides its default provider called Default User Resolver Provider that has the following characteristics.

  • Only support login_hint parameter and is used as default.

  • username of UserModel in Keycloak is used to represent the user on CD, Keycloak and the authentication entity.

OIDC Logout

OIDC has four specifications relevant to logout mechanisms:

Again since all of this is described in the OIDC specification we will only give a brief overview here.

Session Management

This is a browser-based logout. The application obtains session status information from Keycloak at a regular basis. When the session is terminated at Keycloak the application will notice and trigger its own logout.

RP-Initiated Logout

This is also a browser-based logout where the logout starts by redirecting the user to a specific endpoint at Keycloak. This redirect usually happens when the user clicks the Log Out link on the page of some application, which previously used Keycloak to authenticate the user.

Once the user is redirected to the logout endpoint, Keycloak is going to send logout requests to clients to let them invalidate their local user sessions, and potentially redirect the user to some URL once the logout process is finished. The user might be optionally requested to confirm the logout in case the id_token_hint parameter was not used. After logout, the user is automatically redirected to the specified post_logout_redirect_uri as long as it is provided as a parameter. Note that you need to include either the client_id or id_token_hint parameter in case the post_logout_redirect_uri is included. Also the post_logout_redirect_uri parameter needs to match one of the Valid Post Logout Redirect URIs specified in the client configuration.

Depending on the client configuration, logout requests can be sent to clients through the front-channel or through the back-channel. For the frontend browser clients, which rely on the Session Management described in the previous section, Keycloak does not need to send any logout requests to them; these clients automatically detect that SSO session in the browser is logged out.

Front-channel Logout

To configure clients to receive logout requests through the front-channel, look at the Front-Channel Logout client setting. When using this method, consider the following:

  • Logout requests sent by Keycloak to clients rely on the browser and on embedded iframes that are rendered for the logout page.

  • By being based on iframes, front-channel logout might be impacted by Content Security Policies (CSP) and logout requests might be blocked.

  • If the user closes the browser prior to rendering the logout page or before logout requests are actually sent to clients, their sessions at the client might not be invalidated.

Consider using Back-Channel Logout as it provides a more reliable and secure approach to log out users and terminate their sessions on the clients.

If the client is not enabled with front-channel logout, then Keycloak is going to try first to send logout requests through the back-channel using the Back-Channel Logout URL. If not defined, the server is going to fall back to using the Admin URL.

Backchannel Logout

This is a non-browser-based logout that uses direct backchannel communication between Keycloak and clients. Keycloak sends a HTTP POST request containing a logout token to all clients logged into Keycloak. These requests are sent to a registered backchannel logout URLs at Keycloak and are supposed to trigger a logout at client side.

Keycloak server OIDC URI endpoints

The following is a list of OIDC endpoints that Keycloak publishes. These endpoints can be used when a non-Keycloak client adapter uses OIDC to communicate with the authentication server. They are all relative URLs. The root of the URL consists of the HTTP(S) protocol, hostname, and optionally the path: For example

https://localhost:8080
/realms/{realm-name}/protocol/openid-connect/auth

Used for obtaining a temporary code in the Authorization Code Flow or obtaining tokens using the Implicit Flow, Direct Grants, or Client Grants.

/realms/{realm-name}/protocol/openid-connect/token

Used by the Authorization Code Flow to convert a temporary code into a token.

/realms/{realm-name}/protocol/openid-connect/logout

Used for performing logouts.

/realms/{realm-name}/protocol/openid-connect/userinfo

Used for the User Info service described in the OIDC specification.

/realms/{realm-name}/protocol/openid-connect/revoke

Used for OAuth 2.0 Token Revocation described in RFC7009.

/realms/{realm-name}/protocol/openid-connect/certs

Used for the JSON Web Key Set (JWKS) containing the public keys used to verify any JSON Web Token (jwks_uri)

/realms/{realm-name}/protocol/openid-connect/auth/device

Used for Device Authorization Grant to obtain a device code and a user code.

/realms/{realm-name}/protocol/openid-connect/ext/ciba/auth

This is the URL endpoint for Client Initiated Backchannel Authentication Grant to obtain an auth_req_id that identifies the authentication request made by the client.

/realms/{realm-name}/protocol/openid-connect/logout/backchannel-logout

This is the URL endpoint for performing backchannel logouts described in the OIDC specification.

In all of these, replace {realm-name} with the name of the realm.

SAML

SAML 2.0 is a similar specification to OIDC but more mature. It is descended from SOAP and web service messaging specifications so is generally more verbose than OIDC. SAML 2.0 is an authentication protocol that exchanges XML documents between authentication servers and applications. XML signatures and encryption are used to verify requests and responses.

In general, SAML implements two use cases.

The first use case is an application that requests the Keycloak server authenticates a user. Upon successful login, the application will receive an XML document. This document contains an SAML assertion that specifies user attributes. The realm digitally signs the document which contains access information (such as user role mappings) that applications use to determine the resources users are allowed to access in the application.

The second use case is a client accessing remote services. The client requests a SAML assertion from Keycloak to invoke on remote services on behalf of the user.

SAML bindings

Keycloak supports three binding types.

Redirect binding

Redirect binding uses a series of browser redirect URIs to exchange information.

  1. A user connects to an application using a browser. The application detects the user is not authenticated.

  2. The application generates an XML authentication request document and encodes it as a query parameter in a URI. The URI is used to redirect to the Keycloak server. Depending on your settings, the application can also digitally sign the XML document and include the signature as a query parameter in the redirect URI to Keycloak. This signature is used to validate the client that sends the request.

  3. The browser redirects to Keycloak.

  4. The server extracts the XML auth request document and verifies the digital signature, if required.

  5. The user enters their authentication credentials.

  6. After authentication, the server generates an XML authentication response document. The document contains a SAML assertion that holds metadata about the user, including name, address, email, and any role mappings the user has. The document is usually digitally signed using XML signatures, and may also be encrypted.

  7. The XML authentication response document is encoded as a query parameter in a redirect URI. The URI brings the browser back to the application. The digital signature is also included as a query parameter.

  8. The application receives the redirect URI and extracts the XML document.

  9. The application verifies the realm’s signature to ensure it is receiving a valid authentication response. The information inside the SAML assertion is used to make access decisions or display user data.

POST binding

POST binding is similar to Redirect binding but POST binding exchanges XML documents using POST requests instead of using GET requests. POST Binding uses JavaScript to make the browser send a POST request to the Keycloak server or application when exchanging documents. HTTP responds with an HTML document which contains an HTML form containing embedded JavaScript. When the page loads, the JavaScript automatically invokes the form.

POST binding is recommended due to two restrictions:

  • Security — With Redirect binding, the SAML response is part of the URL. It is less secure as it is possible to capture the response in logs.

  • Size — Sending the document in the HTTP payload provides more scope for large amounts of data than in a limited URL.

ECP

Enhanced Client or Proxy (ECP) is a SAML v.2.0 profile which allows the exchange of SAML attributes outside the context of a web browser. It is often used by REST or SOAP-based clients.

Keycloak Server SAML URI Endpoints

Keycloak has one endpoint for all SAML requests.

http(s)://authserver.host/realms/{realm-name}/protocol/saml

All bindings use this endpoint.

OpenID Connect compared to SAML

The following lists a number of factors to consider when choosing a protocol.

For most purposes, Keycloak recommends using OIDC.

OIDC

  • OIDC is specifically designed to work with the web.

  • OIDC is suited for HTML5/JavaScript applications because it is easier to implement on the client side than SAML.

  • OIDC tokens are in the JSON format which makes them easier for Javascript to consume.

  • OIDC has features to make security implementation easier. For example, see the iframe trick that the specification uses to determine a users login status.

SAML

  • SAML is designed as a layer to work on top of the web.

  • SAML can be more verbose than OIDC.

  • Users pick SAML over OIDC because there is a perception that it is mature.

  • Users pick SAML over OIDC existing applications that are secured with it.

Docker registry v2 authentication

Docker authentication is disabled by default. To enable docker authentication, see the Enabling and disabling features guide.

Docker Registry V2 Authentication is a protocol, similar to OIDC, that authenticates users against Docker registries. Keycloak’s implementation of this protocol lets Docker clients use a Keycloak authentication server authenticate against a registry. This protocol uses standard token and signature mechanisms but it does deviate from a true OIDC implementation. It deviates by using a very specific JSON format for requests and responses as well as mapping repository names and permissions to the OAuth scope mechanism.

Docker authentication flow

The authentication flow is described in the Docker API documentation. The following is a summary from the perspective of the Keycloak authentication server:

  • Perform a docker login.

  • The Docker client requests a resource from the Docker registry. If the resource is protected and no authentication token is in the request, the Docker registry server responds with a 401 HTTP message with some information on the permissions that are required and the location of the authorization server.

  • The Docker client constructs an authentication request based on the 401 HTTP message from the Docker registry. The client uses the locally cached credentials (from the docker login command) as part of the HTTP Basic Authentication request to the Keycloak authentication server.

  • The Keycloak authentication server attempts to authenticate the user and return a JSON body containing an OAuth-style Bearer token.

  • The Docker client receives a bearer token from the JSON response and uses it in the authorization header to request the protected resource.

  • The Docker registry receives the new request for the protected resource with the token from the Keycloak server. The registry validates the token and grants access to the requested resource (if appropriate).

Keycloak does not create a browser SSO session after successful authentication with the Docker protocol. The browser SSO session does not use the Docker protocol as it cannot refresh tokens or obtain the status of a token or session from the Keycloak server; therefore a browser SSO session is not necessary. For more details, see the transient session section.

Keycloak Docker Registry v2 Authentication Server URI Endpoints

Keycloak has one endpoint for all Docker auth v2 requests.

http(s)://authserver.host/realms/{realm-name}/protocol/docker-v2/auth

Controlling access to the Admin Console

Each realm created on the Keycloak has a dedicated Admin Console from which that realm can be managed. The master realm is a special realm that allows admins to manage more than one realm on the system. You can also define fine-grained access to users in different realms to manage the server. This chapter goes over all the scenarios for this.

Master realm access control

The master realm in Keycloak is a special realm and treated differently than other realms. Users in the Keycloak master realm can be granted permission to manage zero or more realms that are deployed on the Keycloak server. When a realm is created, Keycloak automatically creates various roles that grant fine-grain permissions to access that new realm. Access to The Admin Console and Admin REST endpoints can be controlled by mapping these roles to users in the master realm. It’s possible to create multiple superusers, as well as users that can only manage specific realms.

Global roles

There are two realm-level roles in the master realm. These are:

  • admin

  • create-realm

Users with the admin role are superusers and have full access to manage any realm on the server. Users with the create-realm role are allowed to create new realms. They will be granted full access to any new realm they create.

Realm specific roles

Admin users within the master realm can be granted management privileges to one or more other realms in the system. Each realm in Keycloak is represented by a client in the master realm. The name of the client is <realm name>-realm. These clients each have client-level roles defined which define varying level of access to manage an individual realm.

The roles available are:

  • view-realm

  • view-users

  • view-clients

  • view-events

  • manage-realm

  • manage-users

  • create-client

  • manage-clients

  • manage-events

  • view-identity-providers

  • manage-identity-providers

  • impersonation

Assign the roles you want to your users and they will only be able to use that specific part of the administration console.

Admins with the manage-users role will only be able to assign admin roles to users that they themselves have. So, if an admin has the manage-users role but doesn’t have the manage-realm role, they will not be able to assign this role.

Dedicated realm admin consoles

Each realm has a dedicated Admin Console that can be accessed by going to the url /admin/{realm-name}/console. Users within that realm can be granted realm management permissions by assigning specific user role mappings.

Each realm has a built-in client called realm-management. You can view this client by going to the Clients left menu item of your realm. This client defines client-level roles that specify permissions that can be granted to manage the realm.

  • view-realm

  • view-users

  • view-clients

  • view-events

  • manage-realm

  • manage-users

  • create-client

  • manage-clients

  • manage-events

  • view-identity-providers

  • manage-identity-providers

  • impersonation

Assign the roles you want to your users and they will only be able to use that specific part of the administration console.

Fine grain admin permissions

Fine Grain Admin Permissions is Preview and is not fully supported. This feature is disabled by default.

To enable start the server with --features=preview or --features=admin-fine-grained-authz

Sometimes roles like manage-realm or manage-users are too coarse grain and you want to create restricted admin accounts that have more fine grain permissions. Keycloak allows you to define and assign restricted access policies for managing a realm. Things like:

  • Managing one specific client

  • Managing users that belong to a specific group

  • Managing membership of a group

  • Limited user management.

  • Fine grain impersonation control

  • Being able to assign a specific restricted set of roles to users.

  • Being able to assign a specific restricted set of roles to a composite role.

  • Being able to assign a specific restricted set of roles to a client’s scope.

  • New general policies for viewing and managing users, groups, roles, and clients.

There are some important things to note about fine grain admin permissions:

  • Fine grain admin permissions were implemented on top of Authorization Services. It is highly recommended that you read up on those features before diving into fine grain permissions.

  • Fine grain permissions are only available within dedicated admin consoles and admins defined within those realms. You cannot define cross-realm fine grain permissions.

  • Fine grain permissions are used to grant additional permissions. You cannot override the default behavior of the built-in admin roles.

Managing one specific client

Let’s look first at allowing an admin to manage one client and one client only. In our example, we have a realm called test and a client called sales-application. In the realm test we will give a user in that realm permission to only manage that application.

You cannot do cross realm fine grain permissions. Admins in the master realm are limited to the predefined admin roles defined in previous chapters.
Permission setup

The first thing we must do is login to the Admin Console so we can set up permissions for that client. We navigate to the management section of the client, we want to define fine-grain permissions for.

Client management

Fine grain client

You should see a tab menu item called Permissions. Click on that tab.

Client permissions tab

Fine grain client permissions tab

By default, each client is not enabled to do fine grain permissions. So turn the Permissions Enabled switch to on to initialize permissions.

If you turn the Permissions Enabled switch to off, it will delete any and all permissions you have defined for this client.
Client permissions tab

Fine grain permission tab

When you switch Permissions Enabled to on, it initializes various permission objects behind the scenes using Authorization Services. For this example, we’re interested in the manage permission for the client. Clicking on that will redirect you to the permission that handles the manage permission for the client. All authorization objects are contained in the realm-management client’s Authorization tab.

Client manage permission

Fine grain client manage permission

When first initialized the manage permission does not have any policies associated with it. You will need to create one by going to the policy tab. To get there fast, click on the Client details link shown in the above image. Then click on the policies tab.

On this page, look for the Create client policy button, which you can use to define many policies. You can define a policy that is associated with a role or a group or even define rules in JavaScript. For this simple example, we are going to create a User Policy.

User policy

Fine grain client user policy

This policy will match a hard-coded user in the user database. In this case, it is the sales-admin user. We must then go back to the sales-application client’s manage permission page and assign the policy to the permission object.

Assign user policy

Fine grain client assign user policy

The sales-admin user now has permission to manage the sales-application client.

There is one more thing we have to do. Go to Users, select the sales-admin user, then go to the Role Mappings tab and assign the query-clients role to the user.

Assign query-clients

Fine grain assign query clients

Why do you have to do this? This role tells the Admin Console what menu items to render when the sales-admin visits the Admin Console. The query-clients role tells the Admin Console that it should render client menus for the sales-admin user.

IMPORTANT If you do not set the query-clients role, restricted admins like sales-admin will not see any menu options when they log into the Admin Console

Testing it out

Next, we log out of the master realm and re-login to the dedicated admin console for the test realm using the sales-admin as a username. This is located under /admin/test/console.

Sales admin login

Fine grain sales admin login

This admin is now able to manage this one client.

Restrict user role mapping

Another thing you might want to do is to restrict the set of roles an admin is allowed to assign to a user. Continuing our last example, let’s expand the permission set of the 'sales-admin' user so that he can also control which users are allowed to access this application. Through fine grain permissions, we can enable it so that the sales-admin can only assign roles that grant specific access to the sales-application. We can also restrict it so that the admin can only map roles and not perform any other types of user administration.

The sales-application has defined three different client roles.

Sales application roles

Fine grain sales application roles

We want the sales-admin user to be able to map these roles to any user in the system. The first step to do this is to allow the role to be mapped by the admin. If we click on the viewLeads role, you’ll see that there is a Permissions tab for this role.

View leads role permission tab

Fine grain view leads role

If we click on that tab and turn the Permissions Enabled on, you’ll see that there are a number of actions we can apply policies to.

View leads permissions

Fine grain view leads permissions

The one we are interested in is map-role. Click on this permission and add the same User Policy that was created in the earlier example.

Map-roles permission

Fine grain map roles permission

What we’ve done is say that the sales-admin can map the viewLeads role. What we have not done is specify which users the admin is allowed to map this role too. To do that we must go to the Users section of the admin console for this realm. Clicking on the Users left menu item brings us to the users interface of the realm. You should see a Permissions tab. Click on that and enable it.

Users permissions

Fine grain user permissions

The permission we are interested in is map-roles. This is a restrictive policy in that it only allows admins the ability to map roles to a user. If we click on the map-roles permission and again add the User Policy we created for this, our sales-admin will be able to map roles to any user.

The last thing we have to do is add the view-users role to the sales-admin. This will allow the admin to view users in the realm he wants to add the sales-application roles to.

Add view-users

Fine grain add view users

Testing it out

Next, we log out of the master realm and re-login to the dedicated admin console for the test realm using the sales-admin as a username. This is located under /admin/test/console.

You will see that now the sales-admin can view users in the system. If you select one of the users you’ll see that each user detail page is read only, except for the Role Mappings tab. Going to this tab you’ll find that there are no Available roles for the admin to map to the user except when we browse the sales-application roles.

Assign viewLeads

Fine grain add view leads

We’ve only specified that the sales-admin can map the viewLeads role.

Per client map-roles shortcut

It would be tedious if we had to do this for every client role that the sales-application published. to make things easier, there’s a way to specify that an admin can map any role defined by a client. If we log back into the admin console to our master realm admin and go back to the sales-application permissions page, you’ll see the map-roles permission.

Client map-roles permission

Fine grain client permissions

If you grant access to this particular permission to an admin, that admin will be able map any role defined by the client.

Full list of permissions

You can do a lot more with fine grain permissions beyond managing a specific client or the specific roles of a client. This chapter defines the whole list of permission types that can be described for a realm.

Role

When going to the Permissions tab for a specific role, you will see these permission types listed.

map-role

Policies that decide if an admin can map this role to a user. These policies only specify that the role can be mapped to a user, not that the admin is allowed to perform user role mapping tasks. The admin will also have to have manage or role mapping permissions. See Users Permissions for more information.

map-role-composite

Policies that decide if an admin can map this role as a composite to another role. An admin can define roles for a client if he has to manage permissions for that client but he will not be able to add composites to those roles unless he has the map-role-composite privileges for the role he wants to add as a composite.

map-role-client-scope

Policies that decide if an admin can apply this role to the scope of a client. Even if the admin can manage the client, he will not have permission to create tokens for that client that contain this role unless this privilege is granted.

Client

When going to the Permissions tab for a specific client, you will see these permission types listed.

view

Policies that decide if an admin can view the client’s configuration.

manage

Policies that decide if an admin can view and manage the client’s configuration. There are some issues with this in that privileges could be leaked unintentionally. For example, the admin could define a protocol mapper that hardcoded a role even if the admin does not have privileges to map the role to the client’s scope. This is currently the limitation of protocol mappers as they don’t have a way to assign individual permissions to them like roles do.

configure

Reduced set of privileges to manage the client. It is like the manage scope except the admin is not allowed to define protocol mappers, change the client template, or the client’s scope.

map-roles

Policies that decide if an admin can map any role defined by the client to a user. This is a shortcut, easy-of-use feature to avoid having to define policies for each and every role defined by the client.

map-roles-composite

Policies that decide if an admin can map any role defined by the client as a composite to another role. This is a shortcut, easy-of-use feature to avoid having to define policies for each and every role defined by the client.

map-roles-client-scope

Policies that decide if an admin can map any role defined by the client to the scope of another client. This is a shortcut, easy-of-use feature to avoid having to define policies for each and every role defined by the client.

Users

When going to the Permissions tab for all users, you will see these permission types listed.

view

Policies that decide if an admin can view all users in the realm.

manage

Policies that decide if an admin can manage all users in the realm. This permission grants the admin the privilege to perform user role mappings, but it does not specify which roles the admin is allowed to map. You’ll need to define the privilege for each role you want the admin to be able to map.

map-roles

This is a subset of the privileges granted by the manage scope. In this case the admin is only allowed to map roles. The admin is not allowed to perform any other user management operation. Also, like manage, the roles that the admin is allowed to apply must be specified per role or per set of roles if dealing with client roles.

manage-group-membership

Similar to map-roles except that it pertains to group membership: which groups a user can be added or removed from. These policies just grant the admin permission to manage group membership, not which groups the admin is allowed to manage membership for. You’ll have to specify policies for each group’s manage-members permission.

impersonate

Policies that decide if the admin is allowed to impersonate other users. These policies are applied to the administrator’s attributes and role mappings.

user-impersonated

Policies that decide which users can be impersonated. These policies will be applied to the user being impersonated. For example, you might want to define a policy that will forbid anybody from impersonating a user that has admin privileges.

Group

When going to the Permissions tab for a specific group, you will see these permission types listed.

view

Policies that decide if the admin can view information about the group.

manage

Policies that decide if the admin can manage the configuration of the group.

view-members

Policies that decide if the admin can view the user details of members of the group.

manage-members

Policies that decide if the admin can manage the users that belong to this group.

manage-membership

Policies that decide if an admin can change the membership of the group. Add or remove members from the group.

Managing organizations

When integrating with a third party like a customer or business partner, you might want to manage their identities separately from others and build a unified and secure experience throughout your business ecosystem when they interact with a realm.

In a realm, an organization represents these third parties so that a realm or an organization administrator can manage the entire lifecycle of its members and how they authenticate and authorize to a realm, on a per-organization basis.

The organization is the entry point to start using the IAM capabilities of Keycloak to also address Business-to-Business (B2B) use cases. It enables multi-tenancy within a realm so that users can have access to protected resources from a realm but with a more restricted and controlled context, that context being the organization to which they belong.

Keycloak Organizations is a feature that enables support for organizations in Keycloak. For now, it provides some of the core capabilities needed to manage organizations such as:

  • Manage members

  • Onboard organization members using invitation links

  • Onboard organization members by federating their identities through identity brokering

  • Identity-first login and organization-specific steps when authenticating in the scope of an organization

  • Propagate organization-specific claims to applications through tokens for authorization purposes

Enabling organizations in Keycloak

To use organizations, you have to enable the feature for the current realm.

Procedure
  1. Click Realm Settings in the menu.

  2. Toggle Organizations to On.

  3. Click Save

Enabling Organizations

Enabling Organizations

Once the feature is enabled, you are able to manage organizations through the Organizations section available from the menu.

Managing an organization

From the Organizations section, you can manage all the organizations in your realm.

Managing organizations

Managing organizations

Creating an organization

Procedure
  1. Click Create Organization.

Creating organization

Creating organization

An organization has the following settings:

Name

A user-friendly name for the organization. The name is unique within a realm.

Alias

An alias for this organization, used to reference the organization internally. The alias is unique within a realm and must be URL-friendly, so characters not usually allowed in URLs will not be allowed in the alias. If not set, Keycloak will attempt to use the name as the alias. If the name is not URL-friendly, you will get an error and will be asked to specify an alias. Once defined, the alias cannot be changed afterwards.

Redirect URL

After completing registration or accepting an invitation to the organization sent via email, the user is automatically redirected to the specified redirect url. If left empty, the user will be redirected to the account console by default.

Domains

A set of one or more domains that belongs to this organization. A domain cannot be shared by different organizations within a realm.

Description

A free-text field to describe the organization.

Once you create an organization, you can manage the additional settings that are described in the following sections:

Understanding organization domains

When managing an organization, the domain associated with an organization plays an important role in how organization members authenticate to a realm and how their profiles are validated.

One of the key roles of a domain is to help to identify the organizations where a user is a member. By looking at their email address, Keycloak will match a corresponding organization using the same domain and eventually change the authentication flow based on the organization requirements.

The domain also allows organizations to enforce that users are not allowed to use a domain in their emails other than those associated with an organization. This restriction is especially useful when users, and their identities, are federated from identity providers associated with an organization and you want to force a specific email domain for their email addresses.

Disabling an organization

To disable an organization, toggle Enabled to Off.

Disabling organization

Disabling organization

When an organization is disabled, you can still manage it through the management interfaces, but the organization members cannot authenticate to the realm, including authenticating through the identity providers associated with the organization as they are also automatically disabled.

However, the unmanaged members of an organization are still able to authenticate to the realm as they are also realm users, but tokens will not hold metadata about their relationship with an organization that is disabled.

For more details about managed and unmanaged users, see Managed and unmanaged members section.

Deleting an organization

To delete an organization, click the Delete action for the corresponding organization in the listing page or when editing an organization.

Deleting organization

Deleting organization

When removing an organization, all data associated with it will be deleted, including any managed member.

Unmanaged users and identity providers remain in the realm, but they are no longer linked to the organization.

For more details about managed and unmanaged users, see Managed and unmanaged members.

Managing attributes

An administrator can store additional metadata about an organization using attributes. An organization attribute is a key/value pair that can hold multiple string values.

For that, click the Attributes tab and set any attribute you want by providing a key and a value.

To provide multiple values for the same attribute, and key, just add another attribute with the same key but with a different value.

Managing organization attributes

Managing organization attributes

Managing members

An organization member is basically a realm user but with a link to a single organization. They are logically separated from other users in a realm so that you know exactly which users belong to an organization.

There are different ways to add, or onboard, a member to an organization:

  • Adding an existing realm user as a member

  • Through an identity provider associated with an organization

  • Sending an invitation to create a new account

  • Sending an invitation to an existing user to join an organization

Once a member of an organization, that user’s account can be managed just like any regular account in a realm by accessing the Users section in the menu.

However, you can narrow the users to only those associated with an organization by accessing the Members tab when managing an organization. In this tab, you have a list of all the organization members and actions to add new members and to edit and remove existing ones.

Managing organization members

Managing organization members

Managed and unmanaged members

When managing members, consider how their relationship with an organization affects the lifecycle of their accounts. Members can join an organization through different flows and each flow indicates the strength of the link between their accounts and the organization.

There are two types of members:

  • Managed

  • Unmanaged

Managed members are those managed by the organization, and they cannot exist outside of their organization. For instance, consider an account created through an identity provider associated with an organization. That account does not belong to a realm as it was federated from the organization. In this case, the single-source of truth for the identity is the organization and its lifecycle is controlled by the organization. If you remove the organization or the member, the account is also removed from the realm.

On the other hand, unmanaged members are those that can exist without the organization. For instance, when adding an existing realm user to an organization, the account belongs to the realm first and foremost and eventually linked to an organization. In this case, removing an organization or a member will not remove the account from the realm; the realm is the single-source of truth for the identity.

Adding an existing realm user as a member

An existing realm user can join an organization by selecting that user from a list and adding the user to the organization.

Procedure
  1. Click Add member.

  2. Click Add realm user.

  3. Select one or more users and click Add to add them to the organization.

Adding a realm user

Adding a realm user

Once a user is a member of the organization, that user is able to authenticate to the realm just like a regular user and using any credential supported by the realm.

Inviting users

An administrator can email users to join an organization.

Procedure
  1. Click Add member.

  2. Click Invite member.

  3. Provide an email address

  4. Click Send

Inviting members

Inviting members

Optionally, you can also provide a value for the First name and Last name fields for a more personalized email message using a greeting message with the first and last names of the person receiving the email.

An invitation is basically an email sent with a link that the person should click to perform the necessary steps to join an organization. These steps depend on whether the person already has an account in the realm or if a new account should be created before joining the organization.

If the email maps to an existing user in a realm, the steps the user will follow are basically about confirming the intention to join the organization.

On the other hand, if no user is associated with the given email address, the steps will involve creating a new account through the realm’s self-registration flow. In this case, the user is forced to provide the same email address used to send the invitation.

Onboarding members using an Identity Provider

An organization might have its own identity provider as the single source of truth for their identities. In this case, users federated from the identity provider are automatically added as a member of the organization.

When users join an organization through an identity provider associated with an organization, they are automatically marked as managed members. In this case, they will go through the broker login flows configured in the realm and join the organization automatically once they successfully authenticate.

Onboarding new members through an identity provider can be done by either automatically redirecting the user to an organization’s identity provider or by selecting the identity provider when at the login page.

In both cases, once the user provides the email, Keycloak will try to match an organization based on the email domain. In case the email domain matches the organization, and an identity provider is associated with the same domain and the Redirect when email domain matches setting is enabled, the user is automatically redirected to the identity provider. Once the user authenticates at the identity provider and completes the first broker login flow, the user is automatically added as an organization member.

On the other hand, if Redirect when email domain matches is not enabled, but the identity provider is configured not to Hide on login page, the user can select the identity provider and then be redirected to the identity provider to continue the onboarding process.

For more details, see Managing Identity Providers.

Removing a member

You can remove a member from an organization.

From the action menu next to the member you want to remove, click Remove.

When removing a member from an organization, remember that the user may or may not be removed from a realm depending on if that user is managed or unmanaged member, respectively.

For more details, see Managed and unmanaged members.

Managing identity providers

An organization might have its own identity provider as the single source of truth for their identities. In this case, you want to configure the organization to authenticate users using the organization’s identity provider, federate their identities, and finally add them as a member of the organization.

An organization can have one or more identity providers associated with it so that they can authenticate their users from different sources and enforce different constraints on each of them.

Before you can link an identity provider to an organization, you create an organization at the realm level from the Identity Providers section in the menu. You can link any of the built-in social and identity providers available in the realm to an organization.

Linking an identity provider to an organization

An identity provider can be linked to an organization from the Identity providers tab. If identity providers already exist, you see a list of them and options to search, edit, or unlink from the organization.

Organization identity providers

Organization identity providers

Procedure
  1. Click Link identity provider

  2. Select an Identity provider

  3. Set the appropriate settings

  4. Click Save

Linking identity provider

Linking identity provider

An identity provider has the following settings:

Identity provider

The identity provider you want to link to the organization. An identity provider can only be linked to a single organization.

Domain

The domain from the organization that you want to link with the identity provider.

Hide on login page

If this identity provider should be hidden in login pages when the user is authenticating in the scope of the organization.

Redirect when email domain matches

If members should be automatically redirected to the identity provider when their email domain matches the domain set to the identity provider.

Once linked to an organization, the identity provider can be managed just like any other in a realm by accessing the Identity Providers section in the menu. However, the options herein described are only available when managing the identity provider in the scope of an organization. The only exception is the Hide on login page option that is present here for convenience.

Editing a linked identity provider

You can edit any of the organization-related settings of a linked identity provider at any time. .Procedure

  1. In the menu, click Organizations and go to the Identity providers tab.

  2. Locate the identity provider in the list.

    You can use the search option for this step.

  3. Click the action button (three dots) at the end of the line.

  4. Click Edit.

  5. Make the necessary changes.

  6. Click Save.

Editing linked identity provider

Editing linked identity provider

Unlinking an identity provider from an organization

When an identity provider is unlinked from an organization, it remains available as a realm-level provider that is no longer ssociated with an organization. To delete the unlinked provider, use the Identity Providers section in the menu.

Procedure
  1. In the menu, click Organizations and go to the Identity providers tab.

  2. Locate the identity provider in the list.

    You can use the search capabilities for this step.

  3. Click the action button (three dots) at the end of the line.

  4. Click Unlink provider.

Unlinking identity provider

Unlinking identity provider

Authenticating members

When you enable organizations for a realm, user authentication is changed. If the user is recognized to be authenticating in the context of an organization, the authentication flow changes on a per-organization basis.

When a realm is created, the authentication flows are automatically updated to enable specific steps to authenticate and onboard organization members. The authentication flows updated are:

  • browser

  • first broker login

The main change to the browser flow is that it defaults to an identity-first login so that users are identified before prompting for their credentials. Concerning the first broker login flow, the main change is automatically adding the users as organization members once they authenticate through the identity provider associated with an organization and successfully complete the flow.

The choice to use an identity-first login or not depends on the existence of an organization in a realm. If no organizations exist, the user follows the usual steps to authenticate using the username and password, or any other step configured in the browser flow. Otherwise, the user is asked first for a username or email to continue authenticating to a realm.

The identity-first login main goal is to identify the user:

  • Is the user an existing or a new user?

  • Is the user a member of any organization within a realm?

  • If an organization member, is the user linked to any identity provider associated with the organization?

Depending on the outcome when identifying the user, the authentication flow changes to either proceed with authentication by asking for the user’s credentials or eventually redirect the user automatically to authenticate within the organization security boundaries through an identity provider.

Understanding the identity-first login

In addition to identifying the user once the username is provided, the identity-first login is also responsible for:

  • Matching an email domain to an organization.

  • Deciding if the authentication flow should continue or not if an account already exists for the username provided

  • Deciding how the user should be authenticated depending on how the domains and the identity providers are configured to an organization

  • Seamlessly authenticating users through an identity provider associated with an organization if the email domain matches the domain set to the identity provider

The identity-first login provides the same capabilities that are provided by the usual login page with the username and password fields. Users can still self-register by clicking the register link or choose any identity or social broker that is not linked to an organization in that realm.

Identity-first login page

Identity-first login page

In the case of a user that does not exist, if that user tries to authenticate using an email domain that matches an organization domain, the identity-first login page appears again with a message that the username provided is not valid. At this point, no need exists to ask the user for credentials.

Identity-first when user does not exist

Identity-first login error

Several options exist to register the user allowing that user to authenticate to the realm and join an organization.

If the realm has the self-registration setting enabled, the user can click the Register link at the identity-first login page and create an account at the realm. After that, the administrator can send an invitation link to the user or manually add the user as a member of an organization. For more details, see Managing members.

If the organization has an identity provider without a domain and the Hide on login page setting is OFF, users can also click the identity provider link at the identity-first login page to automatically create an account and join an organization once they authenticate through the identity provider. For more details, see Managing identity providers.

In a similar situation to the previous section, the organization may have an identity provider set with one of the organization domains. In this situation, the user is redirected to the identity provider if that user’s email matches a specific domain from the organization. Once the flow completes, an account is created and the user joins the organization.

Configuring existing authentication flows

As previously mentioned for new realms, authentication flows are automatically updated with the necessary steps to support organizations and authenticate their members. For existing realms, in addition to enabling organizations to the realm, you also need to manually update your existing (custom) authenticating flows.

Change the browser flow by following these steps:

Procedure
  1. Duplicate the current flow bound to the Browser flow binding type to avoid breaking the flow you are currently using

  2. Click Add sub-flow and give it a name such as My Organization

  3. Move the newly added My Organization sub-flow to execute right after the Identity Provider Redirector execution step. The main point here is that the sub-flow should happen before any other sub-flow or execution step that authenticates the user using whatever credentials you support in your realm. Once added, change the Requirement to Alternative.

  4. Click Add sub-flow in the My Organization sub-flow and give it a name such as My Organization - Conditional. Once added, change the Requirement to Conditional.

  5. Click Add condition in the My Organization - Conditional sub-flow and select Condition - user configured. Once added, change the Requirement to Required.

  6. Click Add step in the My Organization - Conditional sub-flow and select the *Organization Identity-First Login

    • execution step. Once added, change the Requirement to Alternative.

  7. Bind the authentication flow to the Browser binding type.

Organizations browser flow

Organizations browser flow

Once you enable the Organizations setting to the realm and create at least a single organization, you should be able to see the identity-first login page and start using organizations in your realm.

Change the first broker login flow by following these steps:

Procedure
  1. Duplicate the current flow bound to the First broker login flow bind type to avoid breaking the flow you are currently using

  2. Click Add sub-flow and give it a name such as Organization Member - Conditional. Once added, change the Requirement to Conditional.

  3. Click Add condition in the Organization Member - Conditional sub-flow and select Condition - user configured. Once added, change the Requirement to Required.

  4. Click Add step in the Organization Member - Conditional sub-flow and select the Organization Member Onboard execution step. Once added, change the Requirement to Required.

  5. Bind the authentication flow to the First broker login binding type.

Organizations first broker flow

Organizations first broker flow

You should now be able to authenticate using any identity provider associated with an organization and have the user joining the organization as a member as soon as they complete the first browser login flow.

Mapping organization claims

To map organization-specific claims into tokens, a client needs to request the organization scope when sending authorization requests to the server. When authenticating in the context of an organization, clients can request the organization scope to map information about the organizations where the user is a member.

As a result, the token will contain a claim as follows:

"organization": {
  "testcorp": {
    "id": "42c3e46f-2477-44d7-a85b-d3b43f6b31fa",
    "attr1": [
      "value1"
    ]
  }
}

The organization claim can be used by clients (for example, from ID Tokens) and resource servers (for example, from access tokens) to authorize access to protected resources based on the organization where the user is a member.

The organization scope is a built-in optional client scope at the realm. Therefore, this scope is added to any client created in the realm by default. It also defines the Organization Membership mapper that controls how the organization membership information is mapped to the tokens.

By default, the organization id and attributes are not included in the organization claim. To include them, edit the mapper and enable the Add organization id and Add organization attributes options, respectively.
Including attributes in the organization claim

Including attributes in the organization claim

The organization scope is requested using different formats:

Format Description

organization

Maps to a single organization if the user is a member of a single organization. Otherwise, if a member of multiple organizations, the user will be prompted to select an organization when authenticating to the realm.

organization:<alias>

Maps to a single organization with the given alias.

organization:*

Maps to all organizations the user is a member of.

Managing OpenID Connect and SAML Clients

Clients are entities that can request authentication of a user. Clients come in two forms. The first type of client is an application that wants to participate in single-sign-on. These clients just want Keycloak to provide security for them. The other type of client is one that is requesting an access token so that it can invoke other services on behalf of the authenticated user. This section discusses various aspects around configuring clients and various ways to do it.

Managing OpenID Connect clients

OpenID Connect is the recommended protocol to secure applications. It was designed from the ground up to be web friendly and it works best with HTML5/JavaScript applications.

Creating an OpenID Connect client

To protect an application that uses the OpenID connect protocol, you create a client.

Procedure
  1. Click Clients in the menu.

  2. Click Create client.

    Create client

    Create Client

  3. Leave Client type set to OpenID Connect.

  4. Enter a Client ID.

    This ID is an alphanumeric string that is used in OIDC requests and in the Keycloak database to identify the client.

  5. Supply a Name for the client.

    If you plan to localize this name, set up a replacement string value. For example, a string value such as ${myapp}. See the Server Developer Guide for more information.

  6. Click Save.

This action creates the client and bring you to the Settings tab, where you can perform Basic configuration.

Basic configuration

The Settings tab includes many options to configure this client.

Settings tab

Settings tab

General Settings
Client ID

The alphanumeric ID string that is used in OIDC requests and in the Keycloak database to identify the client.

Name

The name for the client in Keycloak UI screen. To localize the name, set up a replacement string value. For example, a string value such as ${myapp}. See the Server Developer Guide for more information.

Description

The description of the client. This setting can also be localized.

Always Display in Console

Always list this client in the Account Console even if this user does not have an active session.

Access Settings
Root URL

If Keycloak uses any configured relative URLs, this value is prepended to them.

Home URL

Provides the default URL for when the auth server needs to redirect or link back to the client.

Valid Redirect URIs

Required field. Enter a URL pattern and click + to add and - to remove existing URLs and click Save. Exact (case sensitive) string matching is used to compare valid redirect URIs.

You can use wildcards at the end of the URL pattern. For example http://host.com/path/*. To avoid security issues, if the passed redirect URI contains the userinfo part or its path manages access to parent directory (/../) no wildcard comparison is performed but the standard and secure exact string matching.

The full wildcard * valid redirect URI can also be configured to allow any http or https redirect URI. Please do not use it in production environments.

Exclusive redirect URI patterns are typically more secure. See Unspecific Redirect URIs for more information.

Web Origins

Enter a URL pattern and click + to add and - to remove existing URLs. Click Save.

This option handles Cross-Origin Resource Sharing (CORS). If browser JavaScript attempts an AJAX HTTP request to a server whose domain is different from the one that the JavaScript code came from, the request must use CORS. The server must handle CORS requests, otherwise the browser will not display or allow the request to be processed. This protocol protects against XSS, CSRF, and other JavaScript-based attacks.

Domain URLs listed here are embedded within the access token sent to the client application. The client application uses this information to decide whether to allow a CORS request to be invoked on it. Only Keycloak client adapters support this feature. See Securing applications Guides for more information.

Admin URL

Callback endpoint for a client. The server uses this URL to make callbacks like pushing revocation policies, performing backchannel logout, and other administrative operations. For Keycloak servlet adapters, this URL can be the root URL of the servlet application. For more information, see Securing applications Guides.

Capability Config
Client authentication

The type of OIDC client.

  • ON

    For server-side clients that perform browser logins and require client secrets when making an Access Token Request. This setting should be used for server-side applications.

  • OFF

    For client-side clients that perform browser logins. As it is not possible to ensure that secrets can be kept safe with client-side clients, it is important to restrict access by configuring correct redirect URIs.

Authorization

Enables or disables fine-grained authorization support for this client.

Standard Flow

If enabled, this client can use the OIDC Authorization Code Flow.

Direct Access Grants

If enabled, this client can use the OIDC Direct Access Grants.

Implicit Flow

If enabled, this client can use the OIDC Implicit Flow.

Service account roles

If enabled, this client can authenticate to Keycloak and retrieve access token dedicated to this client. In terms of OAuth2 specification, this enables support of Client Credentials Grant for this client.

Auth 2.0 Device Authorization Grant

If enabled, this client can use the OIDC Device Authorization Grant.

OIDC CIBA Grant

If enabled, this client can use the OIDC Client Initiated Backchannel Authentication Grant.

Login settings
Login theme

A theme to use for login, OTP, grant registration, and forgotten password pages.

Consent required

If enabled, users have to consent to client access.

For client-side clients that perform browser logins. As it is not possible to ensure that secrets can be kept safe with client-side clients, it is important to restrict access by configuring correct redirect URIs.

Display client on screen

This switch applies if Consent Required is Off.

  • Off

    The consent screen will contain only the consents corresponding to configured client scopes.

  • On

    There will be also one item on the consent screen about this client itself.

Client consent screen text

Applies if Consent required and Display client on screen are enabled. Contains the text that will be on the consent screen about permissions for this client.

Logout settings
Front channel logout

If Front Channel Logout is enabled, the application should be able to log out users through the front channel as per OpenID Connect Front-Channel Logout specification. If enabled, you should also provide the Front-Channel Logout URL.

Front-channel logout URL

URL that will be used by Keycloak to send logout requests to clients through the front-channel.

Backchannel logout URL

URL that will cause the client to log itself out when a logout request is sent to this realm (via end_session_endpoint). If omitted, no logout requests are sent to the client.

Backchannel logout session required

Specifies whether a session ID Claim is included in the Logout Token when the Backchannel Logout URL is used.

Backchannel logout revoke offline sessions

Specifies whether a revoke_offline_access event is included in the Logout Token when the Backchannel Logout URL is used. Keycloak will revoke offline sessions when receiving a Logout Token with this event.

Advanced configuration

After completing the fields on the Settings tab, you can use the other tabs to perform advanced configuration. For example, you can use the Permissions and Roles tabs to configure fine-grained authentication for administrators. See Fine grain admin permissions. Also, see the remaining sections in this chapter for other capabilities.

Advanced tab

When you click the Advanced tab, additional fields are displayed. For details on a specific field, click the question mark icon for that field. However, certain fields are described in detail in this section.

Fine grain OpenID Connect configuration

Logo URL

URL that references a logo for the Client application.

Policy URL

URL that the Relying Party Client provides to the End-User to read about how the profile data will be used.

Terms of Service URL

URL that the Relying Party Client provides to the End-User to read about the Relying Party’s terms of service.

Signed and Encrypted ID Token Support

Keycloak can encrypt ID tokens according to the Json Web Encryption (JWE) specification. The administrator determines if ID tokens are encrypted for each client.

The key used for encrypting the ID token is the Content Encryption Key (CEK). Keycloak and a client must negotiate which CEK is used and how it is delivered. The method used to determine the CEK is the Key Management Mode. The Key Management Mode that Keycloak supports is Key Encryption.

In Key Encryption:

  1. The client generates an asymmetric cryptographic key pair.

  2. The public key is used to encrypt the CEK.

  3. Keycloak generates a CEK per ID token

  4. Keycloak encrypts the ID token using this generated CEK

  5. Keycloak encrypts the CEK using the client’s public key.

  6. The client decrypts this encrypted CEK using their private key

  7. The client decrypts the ID token using the decrypted CEK.

No party, other than the client, can decrypt the ID token.

The client must pass its public key for encrypting CEK to Keycloak. Keycloak supports downloading public keys from a URL provided by the client. The client must provide public keys according to the Json Web Keys (JWK) specification.

The procedure is:

  1. Open the client’s Keys tab.

  2. Toggle JWKS URL to ON.

  3. Input the client’s public key URL in the JWKS URL textbox.

Key Encryption’s algorithms are defined in the Json Web Algorithm (JWA) specification. Keycloak supports:

  • RSAES-PKCS1-v1_5(RSA1_5)

  • RSAES OAEP using default parameters (RSA-OAEP)

  • RSAES OAEP 256 using SHA-256 and MFG1 (RSA-OAEP-256)

The procedure to select the algorithm is:

  1. Open the client’s Advanced tab.

  2. Open Fine Grain OpenID Connect Configuration.

  3. Select the algorithm from ID Token Encryption Content Encryption Algorithm pulldown menu.

OpenID Connect Compatibility Modes

This section exists for backward compatibility. Click the question mark icons for details on each field.

OAuth 2.0 Mutual TLS Certificate Bound Access Tokens Enabled

Mutual TLS binds an access token and a refresh token together with a client certificate, which is exchanged during a TLS handshake. This binding prevents an attacker from using stolen tokens.

This type of token is a holder-of-key token. Unlike bearer tokens, the recipient of a holder-of-key token can verify if the sender of the token is legitimate.

If this setting is on, the workflow is:

  1. A token request is sent to the token endpoint in an authorization code flow or hybrid flow.

  2. Keycloak requests a client certificate.

  3. Keycloak receives the client certificate.

  4. Keycloak successfully verifies the client certificate.

If verification fails, Keycloak rejects the token.

In the following cases, Keycloak will verify the client sending the access token or the refresh token:

  • A token refresh request is sent to the token endpoint with a holder-of-key refresh token.

  • A UserInfo request is sent to UserInfo endpoint with a holder-of-key access token.

  • A logout request is sent to non-OIDC compliant Keycloak proprietary Logout endpoint with a holder-of-key refresh token.

See Mutual TLS Client Certificate Bound Access Tokens in the OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens for more details.

Keycloak client adapters do not support holder-of-key token verification. Keycloak adapters treat access and refresh tokens as bearer tokens.

OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)

DPoP binds an access token and a refresh token together with the public part of a client’s key pair. This binding prevents an attacker from using stolen tokens.

This type of token is a holder-of-key token. Unlike bearer tokens, the recipient of a holder-of-key token can verify if the sender of the token is legitimate.

If the client switch OAuth 2.0 DPoP Bound Access Tokens Enabled is on, the workflow is:

  1. A token request is sent to the token endpoint in an authorization code flow or hybrid flow.

  2. Keycloak requests a DPoP proof.

  3. Keycloak receives the DPoP proof.

  4. Keycloak successfully verifies the DPoP proof.

If verification fails, Keycloak rejects the token.

If the switch OAuth 2.0 DPoP Bound Access Tokens Enabled is off, the client can still send DPoP proof in the token request. In that case, Keycloak will verify DPoP proof and will add the thumbprint to the token. But if the switch is off, DPoP binding is not enforced by the Keycloak server for this client. It is recommended to have this switch on if you want to make sure that particular client always uses DPoP binding.

In the following cases, Keycloak will verify the client sending the access token or the refresh token:

  • A token refresh request is sent to the token endpoint with a holder-of-key refresh token. This verification is done only for public clients as described in the DPoP specification. For confidential clients, the verification is not done as client authentication with proper client credentials is in place to ensure that request comes from the legitimate client. For public clients, both access tokens and refresh tokens are DPoP bound. For confidential clients, only access tokens are DPoP bound.

  • A UserInfo request is sent to UserInfo endpoint with a holder-of-key access token.

  • A logout request is sent to a non-OIDC compliant Keycloak proprietary logout endpoint Logout endpoint with a holder-of-key refresh token. This verification is done only for public clients as described above.

Keycloak client adapters do not support DPoP holder-of-key token verification. Keycloak adapters treat access and refresh tokens as bearer tokens.

DPoP is Preview and is not fully supported. This feature is disabled by default.

To enable start the server with --features=preview or --features=dpop

Advanced Settings for OIDC

The Advanced Settings for OpenID Connect allows you to configure overrides at the client level for session and token timeouts.

Advanced Settings

Configuration Description

Access Token Lifespan

The value overrides the realm option with same name.

Client Session Idle

The value overrides the realm option with same name. The value should be shorter than the global SSO Session Idle.

Client Session Max

The value overrides the realm option with same name. The value should be shorter than the global SSO Session Max.

Client Offline Session Idle

This setting allows you to configure a shorter offline session idle timeout for the client. The timeout is amount of time the session remains idle before Keycloak revokes its offline token. If not set, realm Offline Session Idle is used.

Client Offline Session Max

This setting allows you to configure a shorter offline session max lifespan for the client. The lifespan is the maximum time before Keycloak revokes the corresponding offline token. This option needs Offline Session Max Limited enabled globally in the realm, and defaults to Offline Session Max.

Proof Key for Code Exchange Code Challenge Method

If an attacker steals an authorization code of a legitimate client, Proof Key for Code Exchange (PKCE) prevents the attacker from receiving the tokens that apply to the code.

An administrator can select one of these options:

(blank)

Keycloak does not apply PKCE unless the client sends appropriate PKCE parameters to Keycloaks authorization endpoint.

S256

Keycloak applies to the client PKCE whose code challenge method is S256.

plain

Keycloak applies to the client PKCE whose code challenge method is plain.

ACR to Level of Authentication (LoA) Mapping

In the advanced settings of a client, you can define which Authentication Context Class Reference (ACR) value is mapped to which Level of Authentication (LoA). This mapping can be specified also at the realm as mentioned in the ACR to LoA Mapping. A best practice is to configure this mapping at the realm level, which allows to share the same settings across multiple clients.

The Default ACR Values can be used to specify the default values when the login request is sent from this client to Keycloak without acr_values parameter and without a claims parameter that has an acr claim attached. See official OIDC dynamic client registration specification.

Note that default ACR values are used as the default level, however it cannot be reliably used to enforce login with the particular level. For example, assume that you configure the Default ACR Values to level 2. Then by default, users will be required to authenticate with level 2. However when the user explicitly attaches the parameter into login request such as acr_values=1, then the level 1 will be used. As a result, if the client really requires level 2, the client is encouraged to check the presence of the acr claim inside ID Token and double-check that it contains the requested level 2.

ACR to LoA mapping

Confidential client credentials

If the Client authentication of the client is set to ON, the credentials of the client must be configured under the Credentials tab.

Credentials tab

Credentials Tab

The Client Authenticator drop-down list specifies the type of credential to use for your client.

Client ID and Secret

This choice is the default setting. The secret is automatically generated. Click Regenerate to recreate the secret if necessary.

Signed JWT

Signed JWT

Signed JWT is "Signed Json Web Token".

When choosing this credential type you will have to also generate a private key and certificate for the client in the tab Keys. The private key will be used to sign the JWT, while the certificate is used by the server to verify the signature.

Keys tab

Keys tab

Click on the Generate new keys button to start this process.

Generate keys

generate client keys

  1. Select the archive format you want to use.

  2. Enter a key password.

  3. Enter a store password.

  4. Click Generate.

When you generate the keys, Keycloak will store the certificate and you download the private key and certificate for your client.

You can also generate keys using an external tool and then import the client’s certificate by clicking Import Certificate.

Import certificate

Import Certificate

  1. Select the archive format of the certificate.

  2. Enter the store password.

  3. Select the certificate file by clicking Import File.

  4. Click Import.

Importing a certificate is unnecessary if you click Use JWKS URL. In this case, you can provide the URL where the public key is published in JWK format. With this option, if the key is ever changed, Keycloak reimports the key.

If you are using a client secured by Keycloak adapter, you can configure the JWKS URL in this format, assuming that https://myhost.com/myapp is the root URL of your client application:

https://myhost.com/myapp/k_jwks

See Server Developer Guide for more details.

Signed JWT with Client Secret

If you select this option, you can use a JWT signed by client secret instead of the private key.

The client secret will be used to sign the JWT by the client.

X509 Certificate

Keycloak will validate if the client uses proper X509 certificate during the TLS Handshake.

X509 certificate

x509 client auth

The validator also checks the Subject DN field of the certificate with a configured regexp validation expression. For some use cases, it is sufficient to accept all certificates. In that case, you can use (.*?)(?:$) expression.

Two ways exist for Keycloak to obtain the Client ID from the request:

  • The client_id parameter in the query (described in Section 2.2 of the OAuth 2.0 Specification).

  • Supply client_id as a form parameter.

Client Secret Rotation

Please note that Client Secret Rotation support is in development. Use this feature experimentally.

For a client with Confidential Client authentication Keycloak supports the functionality of rotating client secrets through Client Policies.

The client secrets rotation policy provides greater security in order to alleviate problems such as secret leakage. Once enabled, Keycloak supports up to two concurrently active secrets for each client. The policy manages rotations according to the following settings:

  • Secret expiration: [seconds] - When the secret is rotated, this is the expiration of time of the new secret. The amount, in seconds, added to the secret creation date. Calculated at policy execution time.

  • Rotated secret expiration: [seconds] - When the secret is rotated, this value is the remaining expiration time for the old secret. This value should be always smaller than Secret expiration. When the value is 0, the old secret will be immediately removed during client rotation. The amount, in seconds, added to the secret rotation date. Calculated at policy execution time.

  • Remaining expiration time for rotation during update: [seconds] - Time period when an update to a dynamic client should perform client secret rotation. Calculated at policy execution time.

When a client secret rotation occurs, a new main secret is generated and the old client main secret becomes the secondary secret with a new expiration date.

Rules for client secret rotation

Rotations do not occur automatically or through a background process. In order to perform the rotation, an update action is required on the client, either through the Keycloak Admin Console through the function of Regenerate Secret, in the client’s credentials tab or Admin REST API. When invoking a client update action, secret rotation occurs according to the rules:

  • When the value of Secret expiration is less than the current date.

  • During dynamic client registration client-update request, the client secret will be automatically rotated if the value of Remaining expiration time for rotation during update match the period between the current date and the Secret expiration.

Additionally it is possible through Admin REST API to force a client secret rotation at any time.

During the creation of new clients, if the client secret rotation policy is active, the behavior will be applied automatically.

To apply the secret rotation behavior to an existing client, update that client after you define the policy so that the behavior is applied.

Creating an OIDC Client Secret Rotation Policy

The following is an example of defining a secret rotation policy:

Procedure
  1. Click Realm Settings in the menu.

  2. Click Client Policies tab.

  3. On the Profiles page, click Create client profile.

    Create a profile

    Create Client Profile

  4. Enter any name for Name.

  5. Enter a description that helps you identify the purpose of the profile for Description.

  6. Click Save.

    This action creates the profile and enables you to configure executors.

  7. Click Add executor to configure an executor for this profile.

    Create a profile executor

    Client Profile Executor

  8. Select secret-rotation for Executor Type.

  9. Enter the maximum duration time of each secret, in seconds, for Secret Expiration.

  10. Enter the maximum duration time of each rotated secret, in seconds, for Rotated Secret Expiration.

    Remember that the Rotated Secret Expiration value must always be less than Secret Expiration.
  11. Enter the amount of time, in seconds, after which any update action will update the client for Remain Expiration Time.

  12. Click Add.

    In the example above:

    • Each secret is valid for one week.

    • The rotated secret expires after two days.

    • The window for updating dynamic clients starts one day before the secret expires.

  13. Return to the Client Policies tab.

  14. Click Policies.

  15. Click Create client policy.

    Create the Client Secret Rotation Policy

    Client Rotation Policy

  16. Enter any name for Name.

  17. Enter a description that helps you identify the purpose of the policy for Description.

  18. Click Save.

    This action creates the policy and enables you to associate policies with profiles. It also allows you to configure the conditions for policy execution.

  19. Under Conditions, click Add condition.

    Create the Client Secret Rotation Policy Condition

    Client Rotation Policy Condition

  20. To apply the behavior to all confidential clients select client-access-type in the Condition Type field

    To apply to a specific group of clients, another approach would be to select the client-roles type in the Condition Type field. In this way, you could create specific roles and assign a custom rotation configuration to each role.

  21. Add confidential to the field Client Access Type.

  22. Click Add.

  23. Back in the policy setting, under Client Profiles, click Add client profile and then select Weekly Client Secret Rotation Profile from the list and then click Add.

    Client Secret Rotation Policy

    Client Rotation Policy

To apply the secret rotation behavior to an existing client, follow the following steps:

Using the Admin Console
  1. Click Clients in the menu.

  2. Click a client.

  3. Click the Credentials tab.

  4. Click Re-generate of the client secret.


Using client REST services it can be executed in two ways:
  • Through an update operation on a client

  • Through the regenerate client secret endpoint

Using a service account

Each OIDC client has a built-in service account. Use this service account to obtain an access token.

Procedure
  1. Click Clients in the menu.

  2. Select your client.

  3. Click the Settings tab.

  4. Toggle Client authentication to On.

  5. Select Service accounts roles.

  6. Click Save.

  7. Configure your client credentials.

  8. Click the Scope tab.

  9. Verify that you have roles or toggle Full Scope Allowed to ON.

  10. Click the Service Account Roles tab

  11. Configure the roles available to this service account for your client.

Roles from access tokens are the intersection of:

  • Role scope mappings of a client combined with the role scope mappings inherited from linked client scopes.

  • Service account roles.

The REST URL to invoke is /realms/{realm-name}/protocol/openid-connect/token. This URL must be invoked as a POST request and requires that you post the client credentials with the request.

By default, client credentials are represented by the clientId and clientSecret of the client in the Authorization: Basic header but you can also authenticate the client with a signed JWT assertion or any other custom mechanism for client authentication.

You also need to set the grant_type parameter to "client_credentials" as per the OAuth2 specification.

For example, the POST invocation to retrieve a service account can look like this:

    POST /realms/demo/protocol/openid-connect/token
    Authorization: Basic cHJvZHVjdC1zYS1jbGllbnQ6cGFzc3dvcmQ=
    Content-Type: application/x-www-form-urlencoded

    grant_type=client_credentials

The response would be similar to this Access Token Response from the OAuth 2.0 specification.

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
    "access_token":"2YotnFZFEjr1zCsicMWpAA",
    "token_type":"bearer",
    "expires_in":60
}

Only the access token is returned by default. No refresh token is returned and no user session is created on the Keycloak side upon successful authentication by default. Due to the lack of a refresh token, re-authentication is required when the access token expires. However, this situation does not mean any additional overhead for the Keycloak server because sessions are not created by default.

In this situation, logout is unnecessary. However, issued access tokens can be revoked by sending requests to the OAuth2 Revocation Endpoint as described in the OpenID Connect Endpoints section.

Additional resources

For more details, see Client Credentials Grant.

Audience support

Typically, the environment where Keycloak is deployed consists of a set of confidential or public client applications that use Keycloak for authentication.

Services (Resource Servers in the OAuth 2 specification) are also available that serve requests from client applications and provide resources to these applications. These services require an Access token (Bearer token) to be sent to them to authenticate a request. This token is obtained by the frontend application upon login to Keycloak.

In the environment where trust among services is low, you may encounter this scenario:

  1. A frontend client application requires authentication against Keycloak.

  2. Keycloak authenticates a user.

  3. Keycloak issues a token to the application.

  4. The application uses the token to invoke an untrusted service.

  5. The untrusted service returns the response to the application. However, it keeps the applications token.

  6. The untrusted service then invokes a trusted service using the applications token. This results in broken security as the untrusted service misuses the token to access other services on behalf of the client application.

This scenario is unlikely in environments with a high level of trust between services but not in environments where trust is low. In some environments, this workflow may be correct as the untrusted service may have to retrieve data from a trusted service to return data to the original client application.

An unlimited audience is useful when a high level of trust exists between services. Otherwise, the audience should be limited. You can limit the audience and, at the same time, allow untrusted services to retrieve data from trusted services. In this case, ensure that the untrusted service and the trusted service are added as audiences to the token.

To prevent any misuse of the access token, limit the audience on the token and configure your services to verify the audience on the token. The flow will change as follows:

  1. A frontend application authenticates against Keycloak.

  2. Keycloak authenticates a user.

  3. Keycloak issues a token to the application. The application knows that it will need to invoke an untrusted service so it places scope=<untrusted service> in the authentication request sent to Keycloak (see Client Scopes section for more details about the scope parameter).

    The token issued to the application contains a reference to the untrusted service in its audience ("audience": [ "<untrusted service>" ]) which declares that the client uses this access token to invoke the untrusted service.

  4. The untrusted service invokes a trusted service with the token. Invocation is not successful because the trusted service checks the audience on the token and find that its audience is only for the untrusted service. This behavior is expected and security is not broken.

If the client wants to invoke the trusted service later, it must obtain another token by reissuing the SSO login with scope=<trusted service>. The returned token will then contain the trusted service as an audience:

"audience": [ "<trusted service>" ]

Use this value to invoke the <trusted service>.

Setup

When setting up audience checking:

  • Ensure that services are configured to check audience on the access token sent to them. This may be done in a way specific to your client OIDC adapter, which you are using to secure your OIDC client application.

  • Ensure that access tokens issued by Keycloak contain all necessary audiences. Audiences can be added using the client roles as described in the next section or hardcoded. See Hardcoded audience.

Automatically add audience

An Audience Resolve protocol mapper is defined in the default client scope roles. The mapper checks for clients that have at least one client role available for the current token. The client ID of each client is then added as an audience, which is useful if your service clients rely on client roles. Service client could be usually a client without any flows enabled, which may not have any tokens issued directly to itself. It represents an OAuth 2 Resource Server.

For example, for a service client and a confidential client, you can use the access token issued for the confidential client to invoke the service client REST service. The service client will be automatically added as an audience to the access token issued for the confidential client if the following are true:

  • The service client has any client roles defined on itself.

  • Target user has at least one of those client roles assigned.

  • Confidential client has the role scope mappings for the assigned role.

If you want to ensure that the audience is not added automatically, do not configure role scope mappings directly on the confidential client. Instead, you can create a dedicated client scope that contains the role scope mappings for the client roles of your dedicated client scope.

Assuming that the client scope is added as an optional client scope to the confidential client, the client roles and the audience will be added to the token if explicitly requested by the scope=<trusted service> parameter.

The frontend client itself is not automatically added to the access token audience, therefore allowing easy differentiation between the access token and the ID token, since the access token will not contain the client for which the token is issued as an audience.

If you need the client itself as an audience, see the hardcoded audience option. However, using the same client as both frontend and REST service is not recommended.

Hardcoded audience

When your service relies on realm roles or does not rely on the roles in the token at all, it can be useful to use a hardcoded audience. A hardcoded audience is a protocol mapper, that will add the client ID of the specified service client as an audience to the token. You can use any custom value, for example a URL, if you want to use a different audience than the client ID.

You can add the protocol mapper directly to the frontend client. If the protocol mapper is added directly, the audience will always be added as well.

For more control over the protocol mapper, you can create the protocol mapper on the dedicated client scope, which will be called for example good-service.

Audience protocol mapper

audience mapper

  • From the Client details tab of the good-service client, you can generate the adapter configuration and confirm that verify-token-audience is set to true. This action forces the adapter to verify the audience if you use this configuration.

  • You need to ensure that the confidential client is able to request good-service as an audience in its tokens.

    On the confidential client:

    1. Click the Client Scopes tab.

    2. Assign good-service as an optional (or default) client scope.

      See Client Scopes Linking section for more details.

  • You can optionally Evaluate Client Scopes and generate an example access token. good-service will be added to the audience of the generated access token if good-service is included in the scope parameter, when you assigned it as an optional client scope.

  • In your confidential client application, ensure that the scope parameter is used. The value good-service must be included when you want to issue the token for accessing good-service.

    See:

    • Keycloak JavaScript adapter in the securing apps section if your application uses the javascript adapter.

Both the Audience and Audience Resolve protocol mappers add the audiences to the access token only, by default. The ID Token typically contains only a single audience, the client ID for which the token was issued, a requirement of the OpenID Connect specification. However, the access token does not necessarily have the client ID, which was the token issued for, unless the audience mappers added it.

Creating a SAML client

Keycloak supports SAML 2.0 for registered applications. POST and Redirect bindings are supported. You can choose to require client signature validation. You can have the server sign and/or encrypt responses as well.

Procedure
  1. Click Clients in the menu.

  2. Click Create client to go to the Create client page.

  3. Set Client type to SAML.

    Create client

    add client saml

  4. Enter the Client ID of the client. This is often a URL and is the expected issuer value in SAML requests sent by the application.

  5. Click Save. This action creates the client and brings you to the Settings tab.

The following sections describe each setting on this tab.

Settings tab

The Settings tab includes many options to configure this client.

Client settings

client settings saml

General settings
Client ID

The alphanumeric ID string that is used in OIDC requests and in the Keycloak database to identify the client. This value must match the issuer value sent with AuthNRequests. Keycloak pulls the issuer from the Authn SAML request and match it to a client by this value.

Name

The name for the client in a Keycloak UI screen. To localize the name, set up a replacement string value. For example, a string value such as ${myapp}. See the Server Developer Guide for more information.

Description

The description of the client. This setting can also be localized.

Always Display in Console

Always list this client in the Account Console even if this user does not have an active session.

Access Settings
Root URL

When Keycloak uses a configured relative URL, this value is prepended to the URL.

Home URL

If Keycloak needs to link to a client, this URL is used.

Valid Redirect URIs

Enter a URL pattern and click the + sign to add. Click the - sign to remove. Click Save to save these changes. Wildcards values are allowed only at the end of a URL. For example, http://host.com/*$$. This field is used when the exact SAML endpoints are not registered and Keycloak pulls the Assertion Consumer URL from a request.

IDP-Initiated SSO URL name

URL fragment name to reference client when you want to do IDP Initiated SSO. Leaving this empty will disable IDP Initiated SSO. The URL you will reference from your browser will be: server-root/realms/{realm}/protocol/saml/clients/{client-url-name}

IDP Initiated SSO Relay State

Relay state you want to send with SAML request when you want to do IDP Initiated SSO.

Master SAML Processing URL

This URL is used for all SAML requests and the response is directed to the SP. It is used as the Assertion Consumer Service URL and the Single Logout Service URL.

If login requests contain the Assertion Consumer Service URL then those login requests will take precedence. This URL must be validated by a registered Valid Redirect URI pattern.

SAML capabilities
Name ID Format

The Name ID Format for the subject. This format is used if no name ID policy is specified in a request, or if the Force Name ID Format attribute is set to ON.

Force Name ID Format

If a request has a name ID policy, ignore it and use the value configured in the Admin Console under Name ID Format.

Force POST Binding

By default, Keycloak responds using the initial SAML binding of the original request. By enabling Force POST Binding, Keycloak responds using the SAML POST binding even if the original request used the redirect binding.

Force artifact binding

If enabled, response messages are returned to the client through the SAML ARTIFACT binding system.

Include AuthnStatement

SAML login responses may specify the authentication method used, such as password, as well as timestamps of the login and the session expiration. Include AuthnStatement is enabled by default, so that the AuthnStatement element will be included in login responses. Setting this to OFF prevents clients from determining the maximum session length, which can create client sessions that do not expire.

Include OneTimeUse Condition

If enable, a OneTimeUse Condition is included in login responses.

Optimize REDIRECT signing key lookup

When set to ON, the SAML protocol messages include the Keycloak native extension. This extension contains a hint with the signing key ID. The SP uses the extension for signature validation instead of attempting to validate the signature using keys.

This option applies to REDIRECT bindings where the signature is transferred in query parameters and this information is not found in the signature information. This is contrary to POST binding messages where key ID is always included in document signature.

This option is used when Keycloak server and adapter provide the IDP and SP. This option is only relevant when Sign Documents is set to ON.

Signature and Encryption
Sign Documents

When set to ON, Keycloak signs the document using the realms private key.

Sign Assertions

The assertion is signed and embedded in the SAML XML Auth response.

Signature Algorithm

The algorithm used in signing SAML documents. Note that SHA1 based algorithms are deprecated and may be removed in a future release. We recommend the use of some more secure algorithm instead of *_SHA1. Also, with *_SHA1 algorithms, verifying signatures do not work if the SAML client runs on Java 17 or higher.

SAML Signature Key Name

Signed SAML documents sent using POST binding contain the identification of the signing key in the KeyName element. This action can be controlled by the SAML Signature Key Name option. This option controls the contents of the Keyname.

  • KEY_ID The KeyName contains the key ID. This option is the default option.

  • CERT_SUBJECT The KeyName contains the subject from the certificate corresponding to the realm key. This option is expected by Microsoft Active Directory Federation Services.

  • NONE The KeyName hint is completely omitted from the SAML message.

Canonicalization Method

The canonicalization method for XML signatures.

Login settings
Login theme

A theme to use for login, OTP, grant registration, and forgotten password pages.

Consent required

If enabled, users have to consent to client access.

For client-side clients that perform browser logins. As it is not possible to ensure that secrets can be kept safe with client-side clients, it is important to restrict access by configuring correct redirect URIs.

Display client on screen

This switch applies if Consent Required is Off.

  • Off

    The consent screen will contain only the consents corresponding to configured client scopes.

  • On

    There will be also one item on the consent screen about this client itself.

Client consent screen text

Applies if Consent required and Display client on screen are enabled. Contains the text that will be on the consent screen about permissions for this client.

Logout settings
Front channel logout

If Front Channel Logout is enabled, the application requires a browser redirect to perform a logout. For example, the application may require a cookie to be reset which could only be done via a redirect. If Front Channel Logout is disabled, Keycloak invokes a background SAML request to log out of the application.

Keys tab

Encrypt Assertions

Encrypts the assertions in SAML documents with the realms private key. The AES algorithm uses a key size of 128 bits.

Client Signature Required

If Client Signature Required is enabled, documents coming from a client are expected to be signed. Keycloak will validate this signature using the client public key or cert set up in the Keys tab.

Allow ECP Flow

If true, this application is allowed to use SAML ECP profile for authentication.

Advanced tab

This tab has many fields for specific situations. Some fields are covered in other topics. For details on other fields, click the question mark icon.

Fine Grain SAML Endpoint Configuration
Logo URL

URL that references a logo for the Client application.

Policy URL

URL that the Relying Party Client provides to the End-User to read about how the profile data will be used.

Terms of Service URL

URL that the Relying Party Client provides to the End-User to read about the Relying Party’s terms of service.

Assertion Consumer Service POST Binding URL

POST Binding URL for the Assertion Consumer Service.

Assertion Consumer Service Redirect Binding URL

Redirect Binding URL for the Assertion Consumer Service.

Logout Service POST Binding URL

POST Binding URL for the Logout Service.

Logout Service Redirect Binding URL

Redirect Binding URL for the Logout Service.

Logout Service Artifact Binding URL

Artifact Binding URL for the Logout Service. When set together with the Force Artifact Binding option, Artifact binding is forced for both login and logout flows. Artifact binding is not used for logout unless this property is set.

Logout Service SOAP Binding URL

Redirect Binding URL for the Logout Service. Only applicable if back channel logout is used.

Artifact Binding URL

URL to send the HTTP artifact messages to.

Artifact Resolution Service

URL of the client SOAP endpoint where to send the ArtifactResolve messages to.

IDP Initiated login

IDP Initiated Login is a feature that allows you to set up an endpoint on the Keycloak server that will log you into a specific application/client. In the Settings tab for your client, you need to specify the IDP Initiated SSO URL Name. This is a simple string with no whitespace in it. After this you can reference your client at the following URL: root/realms/{realm}/protocol/saml/clients/{url-name}

The IDP initiated login implementation prefers POST over REDIRECT binding (check saml bindings for more information). Therefore the final binding and SP URL are selected in the following way:

  1. If the specific Assertion Consumer Service POST Binding URL is defined (inside Fine Grain SAML Endpoint Configuration section of the client settings) POST binding is used through that URL.

  2. If the general Master SAML Processing URL is specified then POST binding is used again throughout this general URL.

  3. As the last resort, if the Assertion Consumer Service Redirect Binding URL is configured (inside Fine Grain SAML Endpoint Configuration) REDIRECT binding is used with this URL.

If your client requires a special relay state, you can also configure this on the Settings tab in the IDP Initiated SSO Relay State field. Alternatively, browsers can specify the relay state in a RelayState query parameter, i.e. root/realms/{realm}/protocol/saml/clients/{url-name}?RelayState=thestate.

When using identity brokering, it is possible to set up an IDP Initiated Login for a client from an external IDP. The actual client is set up for IDP Initiated Login at broker IDP as described above. The external IDP has to set up the client for application IDP Initiated Login that will point to a special URL pointing to the broker and representing IDP Initiated Login endpoint for a selected client at the brokering IDP. This means that in client settings at the external IDP:

  • IDP Initiated SSO URL Name is set to a name that will be published as IDP Initiated Login initial point,

  • Assertion Consumer Service POST Binding URL in the Fine Grain SAML Endpoint Configuration section has to be set to the following URL: broker-root/realms/{broker-realm}/broker/{idp-name}/endpoint/clients/{client-id}, where:

    • broker-root is base broker URL

    • broker-realm is name of the realm at broker where external IDP is declared

    • idp-name is name of the external IDP at broker

    • client-id is the value of IDP Initiated SSO URL Name attribute of the SAML client defined at broker. It is this client, which will be made available for IDP Initiated Login from the external IDP.

Please note that you can import basic client settings from the brokering IDP into client settings of the external IDP - just use SP Descriptor available from the settings of the identity provider in the brokering IDP, and add clients/client-id to the endpoint URL.

Using an entity descriptor to create a client

Instead of registering a SAML 2.0 client manually, you can import the client using a standard SAML Entity Descriptor XML file.

The Client page includes an Import client option.

Add client

Import SAML client

Procedure
  1. Click Browse.

  2. Load the file that contains the XML entity descriptor information.

  3. Review the information to ensure everything is set up correctly.

Some SAML client adapters, such as mod-auth-mellon, need the XML Entity Descriptor for the IDP. You can find this descriptor by going to this URL:

root/realms/{realm}/protocol/saml/descriptor

where realm is the realm of your client.

To link from one client to another, Keycloak provides a redirect endpoint: /realms/realm_name/clients/{client-id}/redirect.

If a client accesses this endpoint using a HTTP GET request, Keycloak returns the configured base URL for the provided Client and Realm in the form of an HTTP 307 (Temporary Redirect) in the response’s Location header. As a result of this, a client needs only to know the Realm name and the Client ID to link to them. This indirection avoids hard-coding client base URLs.

As an example, given the realm master and the client-id account:

http://host:port/realms/master/clients/account/redirect

This URL temporarily redirects to: http://host:port/realms/master/account

OIDC token and SAML assertion mappings

Applications receiving ID tokens, access tokens, or SAML assertions may require different roles and user metadata.

You can use Keycloak to:

  • Hardcode roles, claims and custom attributes.

  • Pull user metadata into a token or assertion.

  • Rename roles.

You perform these actions in the Mappers tab in the Admin Console.

Mappers tab

mappers oidc

New clients do not have built-in mappers, but they can inherit some mappers from client scopes. See the client scopes section for more details.

Protocol mappers map items (such as an email address, for example) to a specific claim in the identity and access token. The function of a mapper should be self-explanatory from its name. You add pre-configured mappers by clicking Add Builtin.

Each mapper has a set of common settings. Additional settings are available, depending on the mapper type. Click Edit next to a mapper to access the configuration screen to adjust these settings.

Mapper config

mapper config

Details on each option can be viewed by hovering over its tooltip.

You can use most OIDC mappers to control where the claim gets placed. You opt to include or exclude the claim from the id and access tokens by adjusting the Add to ID token and Add to access token switches.

You can add mapper types as follows:

Procedure
  1. Go to the Mappers tab.

  2. Click Configure a new mapper.

    Add mapper

    add mapper

  3. Select a Mapper Type from the list box.

Priority order

Mapper implementations have priority order. Priority order is not the configuration property of the mapper. It is the property of the concrete implementation of the mapper.

Mappers are sorted by the order in the list of mappers. The changes in the token or assertion are applied in that order with the lowest applying first. Therefore, the implementations that are dependent on other implementations are processed in the necessary order.

For example, to compute the roles which will be included with a token:

  1. Resolve audiences based on those roles.

  2. Process a JavaScript script that uses the roles and audiences already available in the token.

OIDC user session note mappers

User session details are defined using mappers and are automatically included when you use or enable a feature on a client. Click Add builtin to include session details.

Impersonated user sessions provide the following details:

  • IMPERSONATOR_ID: The ID of an impersonating user.

  • IMPERSONATOR_USERNAME: The username of an impersonating user.

Service account sessions provide the following details:

  • clientId: The client ID of the service account.

  • client_id: The client ID of the service account.

  • clientAddress: The remote host IP of the service account’s authenticated device.

  • clientHost: The remote host name of the service account’s authenticated device.

Script mapper

Use the Script Mapper to map claims to tokens by running user-defined JavaScript code. For more details about deploying scripts to the server, see JavaScript Providers.

When scripts deploy, you should be able to select the deployed scripts from the list of available mappers.

Pairwise subject identifier mapper

Subject claim sub is mapped by default by Subject (sub) protocol mapper in the default client scope basic.

To use a pairwise subject identifier by using a protocol mapper such as Pairwise subject identifier, you can remove the Subject (sub) protocol mapper from the basic client scope. However it is not strictly needed as the Subject (sub) protocol mapper is executed before the Pairwise subject identifier mapper and hence the pairwise value will override the value added by the Subject mapper. This is due to the priority of the Subject mapper. So the only advantage of removing the built-in Subject (sub) mapper might be to save a little bit of performance by avoiding the use of the protocol mapper, which may not have any effect.

Using lightweight access token

The access token in Keycloak contains sensitive information, including Personal Identifiable Information (PII). Therefore, if the resource server does not want to disclose this type of information to third party entities such as clients, Keycloak supports lightweight access tokens that remove PII from access tokens. Further, when the resource server acquires the PII removed from the access token, it can acquire the PII by sending the access token to Keycloak’s token introspection endpoint.

Information that cannot be removed from a lightweight access token

Protocol mappers can controls which information is put onto an access token and the lightweight access token use the protocol mappers. Therefore, the following information cannot be removed from the lightweight access.
exp, iat, jti, iss, typ, azp, sid, scope, cnf

Using a lightweight access token in Keycloak

By applying use-lightweight-access-token executor of client policies to a client, the client can receive a lightweight access token instead of an access token. The lightweight access token contains a claim controlled by a protocol mapper where its setting Add to lightweight access token(default OFF) is turned ON. Also, by turning ON its setting Add to token introspection of the protocol mapper, the client can obtain the claim by sending the access token to Keycloak’s token introspection endpoint.

Introspection endpoint

In some cases, it might be useful to trigger the token introspection endpoint with the HTTP header Accept: application/jwt instead of Accept: application/json, which can be useful especially for lightweight access tokens. See the details of Token Introspection endpoint in the securing apps section.

Generating client adapter config

Keycloak can generate configuration files that you can use to install a client adapter in your application’s deployment environment. A number of adapter types are supported for OIDC and SAML.

  1. Click on the Action menu and select the Download adapter config option

    client installation

  2. Select the Format Option you want configuration generated for.

All Keycloak client adapters for OIDC and SAML are supported. The mod-auth-mellon Apache HTTPD adapter for SAML is supported as well as standard SAML entity descriptor files.

Client scopes

Use Keycloak to define a shared client configuration in an entity called a client scope. A client scope configures protocol mappers and role scope mappings for multiple clients.

Client scopes also support the OAuth 2 scope parameter. Client applications use this parameter to request claims or roles in the access token, depending on the requirement of the application.

To create a client scope, follow these steps:

  1. Click Client Scopes in the menu.

    Client scopes list

    client scopes list

  2. Click Create.

  3. Name your client scope.

  4. Click Save.

A client scope has similar tabs to regular clients. You can define protocol mappers and role scope mappings. These mappings can be inherited by other clients and are configured to inherit from this client scope.

Protocol

When you create a client scope, choose the Protocol. Clients linked in the same scope must have the same protocol.

Each realm has a set of pre-defined built-in client scopes in the menu.

  • SAML protocol: The role_list. This scope contains one protocol mapper for the roles list in the SAML assertion.

  • OpenID Connect protocol: Several client scopes are available:

    • roles

      This scope is not defined in the OpenID Connect specification and is not added automatically to the scope claim in the access token. This scope has mappers, which are used to add the roles of the user to the access token and add audiences for clients that have at least one client role. These mappers are described in more detail in the Audience section.

    • web-origins

      This scope is also not defined in the OpenID Connect specification and not added to the scope claiming the access token. This scope is used to add allowed web origins to the access token allowed-origins claim.

    • microprofile-jwt

      This scope handles claims defined in the MicroProfile/JWT Auth Specification. This scope defines a user property mapper for the upn claim and a realm role mapper for the groups claim. These mappers can be changed so different properties can be used to create the MicroProfile/JWT specific claims.

    • offline_access

      This scope is used in cases when clients need to obtain offline tokens. More details on offline tokens is available in the Offline Access section and in the OpenID Connect specification.

    • profile

    • email

    • address

    • phone

The client scopes profile, email, address and phone are defined in the OpenID Connect specification. These scopes do not have any role scope mappings defined but they do have protocol mappers defined. These mappers correspond to the claims defined in the OpenID Connect specification.

For example, when you open the phone client scope and open the Mappers tab, you will see the protocol mappers which correspond to the claims defined in the specification for the scope phone.

Client scope mappers

client scopes phone

When the phone client scope is linked to a client, the client automatically inherits all the protocol mappers defined in the phone client scope. Access tokens issued for this client contain the phone number information about the user, assuming that the user has a defined phone number.

Built-in client scopes contain the protocol mappers as defined in the specification. You are free to edit client scopes and create, update, or remove any protocol mappers or role scope mappings.

Client scopes contain options related to the consent screen. Those options are useful if the linked client if Consent Required is enabled on the client.

Display On Consent Screen

If Display On Consent Screen is enabled, and the scope is added to a client that requires consent, the text specified in Consent Screen Text will be displayed on the consent screen. This text is shown when the user is authenticated and before the user is redirected from Keycloak to the client. If Display On Consent Screen is disabled, this client scope will not be displayed on the consent screen.

Consent Screen Text

The text displayed on the consent screen when this client scope is added to a client when consent required defaults to the name of client scope. The value for this text can be customised by specifying a substitution variable with ${var-name} strings. The customised value is configured within the property files in your theme. See the Server Developer Guide for more information on customisation.

Link client scope with the client

Linking between a client scope and a client is configured in the Client Scopes tab of the client. Two ways of linking between client scope and client are available.

Default Client Scopes

This setting is applicable to the OpenID Connect and SAML clients. Default client scopes are applied when issuing OpenID Connect tokens or SAML assertions for a client. The client will inherit Protocol Mappers and Role Scope Mappings that are defined on the client scope. For the OpenID Connect Protocol, the Mappers and Role Scope Mappings are always applied, regardless of the value used for the scope parameter in the OpenID Connect authorization request.

Optional Client Scopes

This setting is applicable only for OpenID Connect clients. Optional client scopes are applied when issuing tokens for this client but only when requested by the scope parameter in the OpenID Connect authorization request.

Example

For this example, assume the client has profile and email linked as default client scopes, and phone and address linked as optional client scopes. The client uses the value of the scope parameter when sending a request to the OpenID Connect authorization endpoint.

scope=openid phone

The scope parameter contains the string, with the scope values divided by spaces. The value openid is the meta-value used for all OpenID Connect requests. The token will contain mappers and role scope mappings from the default client scopes profile and email as well as phone, an optional client scope requested by the scope parameter.

Evaluating Client Scopes

The Mappers tab contains the protocol mappers and the Scope tab contains the role scope mappings declared for this client. They do not contain the mappers and scope mappings inherited from client scopes. It is possible to see the effective protocol mappers (that is the protocol mappers defined on the client itself as well as inherited from the linked client scopes) and the effective role scope mappings used when generating a token for a client.

Procedure
  1. Click the Client Scopes tab for the client.

  2. Open the sub-tab Evaluate.

  3. Select the optional client scopes that you want to apply.

This will also show you the value of the scope parameter. This parameter needs to be sent from the application to the Keycloak OpenID Connect authorization endpoint.

Evaluating client scopes

client scopes evaluate

To send a custom value for a scope parameter from your application, see the Keycloak JavaScript adapter in the securing apps section, for javascript adapters.

All examples are generated for the particular user and issued for the particular client, with the specified value of the scope parameter. The examples include all of the claims and role mappings used.

Client scopes permissions

When issuing tokens to a user, the client scope applies only if the user is permitted to use it.

When a client scope does not have any role scope mappings defined, each user is permitted to use this client scope. However, when a client scope has role scope mappings defined, the user must be a member of at least one of the roles. There must be an intersection between the user roles and the roles of the client scope. Composite roles are factored into evaluating this intersection.

If a user is not permitted to use the client scope, no protocol mappers or role scope mappings will be used when generating tokens. The client scope will not appear in the scope value in the token.

Realm default client scopes

Use Realm Default Client Scopes to define sets of client scopes that are automatically linked to newly created clients.

Procedure
  1. Click the Client Scopes tab for the client.

From here, select the client scopes that you want to add as Default Client Scopes to newly created clients and Optional Client Scopes.

Default client scopes

client scopes default

When a client is created, you can unlink the default client scopes, if needed. This is similar to removing Default Roles.

Scopes explained

Client scope

Client scopes are entities in Keycloak that are configured at the realm level and can be linked to clients. Client scopes are referenced by their name when a request is sent to the Keycloak authorization endpoint with a corresponding value of the scope parameter. See the client scopes linking section for more details.

Role scope mapping

This is available under the Scope tab of a client or client scope. Use Role scope mapping to limit the roles that can be used in the access tokens. See the Role Scope Mappings section for more details.

Authorization scopes

The Authorization Scope covers the actions that can be performed in the application. See the Authorization Services Guide for more details.

Client Policies

To make it easy to secure client applications, it is beneficial to realize the following points in a unified way.

  • Setting policies on what configuration a client can have

  • Validation of client configurations

  • Conformance to a required security standards and profiles such as Financial-grade API (FAPI) and OAuth 2.1

To realize these points in a unified way, Client Policies concept is introduced.

Use-cases

Client Policies realize the following points mentioned as follows.

Setting policies on what configuration a client can have

Configuration settings on the client can be enforced by client policies during client creation/update, but also during OpenID Connect requests to Keycloak server, which are related to particular client. Keycloak supports similar thing also through the Client Registration Policies described in the Client registration service from Securing applications Guides. However, Client Registration Policies can only cover OIDC Dynamic Client Registration. Client Policies cover not only what Client Registration Policies can do, but other client registration and configuration ways. The current plans are for Client Registration to be replaced by Client Policies.

Validation of client configurations

Keycloak supports validation whether the client follows settings like Proof Key for Code Exchange, Request Object Signing Algorithm, Holder-of-Key Token, and so on some endpoints like Authorization Endpoint, Token Endpoint, and so on. These can be specified by each setting item (on Admin Console, switch, pull-down menu and so on). To make the client application secure, the administrator needs to set many settings in the appropriate way, which makes it difficult for the administrator to secure the client application. Client Policies can do these validation of client configurations mentioned just above and they can also be used to autoconfigure some client configuration switches to meet the advanced security requirements. In the future, individual client configuration settings may be replaced by Client Policies directly performing required validations.

Conformance to a required security standards and profiles such as FAPI and OAuth 2.1

The Global client profiles are client profiles pre-configured in Keycloak by default. They are pre-configured to be compliant with standard security profiles like FAPI and OAuth 2.1 in the securing apps section, which makes it easy for the administrator to secure their client application to be compliant with the particular security profile. At this moment, Keycloak has global profiles for the support of FAPI and OAuth 2.1 specifications. The administrator will just need to configure the client policies to specify which clients should be compliant with the FAPI and OAuth 2.1. The administrator can configure client profiles and client policies, so that Keycloak clients can be easily made compliant with various other security profiles like SPA, Native App, Open Banking and so on.

Protocol

The client policy concept is independent of any specific protocol. Keycloak currently supports especially client profiles for the OpenID Connect (OIDC) protocol, but there is also a client profile available for the SAML protocol.

Architecture

Client Policies consists of the four building blocks: Condition, Executor, Profile and Policy.

Condition

A condition determines to which client a policy is adopted and when it is adopted. Some conditions are checked at the time of client create/update when some other conditions are checked during client requests (OIDC Authorization request, Token endpoint request and so on). The condition checks whether one specified criteria is satisfied. For example, some condition checks whether the access type of the client is confidential.

The condition can not be used solely by itself. It can be used in a policy that is described afterwards.

A condition can be configurable the same as other configurable providers. What can be configured depends on each condition’s nature.

The following conditions are provided:

The way of creating/updating a client
  • Dynamic Client Registration (Anonymous or Authenticated with Initial access token or Registration access token)

  • Admin REST API (Admin Console and so on)

So for example when creating a client, a condition can be configured to evaluate to true when this client is created by OIDC Dynamic Client Registration without initial access token (Anonymous Dynamic Client Registration). So this condition can be used for example to ensure that all clients registered through OIDC Dynamic Client Registration are FAPI or OAuth 2.1 compliant.

Author of a client (Checked by presence to the particular role or group)

On OpenID Connect dynamic client registration, an author of a client is the end user who was authenticated to get an access token for generating a new client, not Service Account of the existing client that actually accesses the registration endpoint with the access token. On registration by Admin REST API, an author of a client is the end user like the administrator of the Keycloak.

Client Access Type (confidential, public, bearer-only)

For example when a client sends an authorization request, a policy is adopted if this client is confidential. Confidential client has enabled client authentication when public client has disabled client authentication. Bearer-only is a deprecated client type.

Client Scope

Evaluates to true if the client has a particular client scope (either as default or as an optional scope used in current request). This can be used for example to ensure that OIDC authorization requests with scope fapi-example-scope need to be FAPI compliant.

Client Role

Applies for clients with the client role of the specified name. Typically you can create a client role of specified name to requested clients and use it as a "marker role" to make sure that specified client policy will be applied for requested clients.

A use-case often exists for requiring the application of a particular client policy for the specified clients such as my-client-1 and my-client-2. The best way to achieve this result is to use a Client Role condition in your policy and then a create client role of specified name to requested clients. This client role can be used as a "marker role" used solely for marking that particular client policy for particular clients.
Client Domain Name, Host or IP Address

Applied for specific domain names of client. Or for the cases when the administrator registers/updates client from particular Host or IP Address.

Client Attribute

Applies to clients with the client attribute of the specified name and value. If you specify multiple client attributes, they will be evaluated using AND conditions. If you want to evaluate using OR conditions, set this condition multiple times.

Any Client

This condition always evaluates to true. It can be used for example to ensure that all clients in the particular realm are FAPI compliant.

Executor

An executor specifies what action is executed on a client to which a policy is adopted. The executor executes one or several specified actions. For example, some executor checks whether the value of the parameter redirect_uri in the authorization request matches exactly with one of the pre-registered redirect URIs on Authorization Endpoint and rejects this request if not.

The executor can not be used solely by itself. It can be used in a profile that is described afterwards.

An executor can be configurable the same as other configurable providers. What can be configured depends on the nature of each executor.

An executor acts on various events. An executor implementation can ignore certain types of events (For example, executor for checking OIDC request object acts just on the OIDC authorization request). Events are:

  • Creating a client (including creation through dynamic client registration)

  • Updating a client

  • Sending an authorization request

  • Sending a token request

  • Sending a token refresh request

  • Sending a token revocation request

  • Sending a token introspection request

  • Sending a userinfo request

  • Sending a logout request with a refresh token (note that logout with refresh token is proprietary Keycloak functionality unsupported by any specification. It is rather recommended to rely on the official OIDC logout).

On each event, an executor can work in multiple phases. For example, on creating/updating a client, the executor can modify the client configuration by autoconfigure specific client settings. After that, the executor validates this configuration in validation phase.

One of several purposes for this executor is to realize the security requirements of client conformance profiles like FAPI and OAuth 2.1. To do so, the following executors are needed:

  • Enforce secure Client Authentication method is used for the client

  • Enforce Holder-of-key tokens are used

  • Enforce Proof Key for Code Exchange (PKCE) is used

  • Enforce secure signature algorithm for Signed JWT client authentication (private-key-jwt) is used

  • Enforce HTTPS redirect URI and make sure that configured redirect URI does not contain wildcards

  • Enforce OIDC request object satisfying high security level

  • Enforce Response Type of OIDC Hybrid Flow including ID Token used as detached signature as described in the FAPI 1 specification, which means that ID Token returned from Authorization response won’t contain user profile data

  • Enforce more secure state and nonce parameters treatment for preventing CSRF

  • Enforce more secure signature algorithm when client registration

  • Enforce binding_message parameter is used for CIBA requests

  • Enforce Client Secret Rotation

  • Enforce Client Registration Access Token

  • Enforce checking if a client is the one to which an intent was issued in a use case where an intent is issued before starting an authorization code flow to get an access token like UK OpenBanking

  • Enforce prohibiting implicit and hybrid flow

  • Enforce checking if a PAR request includes necessary parameters included by an authorization request

  • Enforce DPoP-binding tokens is used (available when dpop feature is enabled)

  • Enforce using lightweight access token

  • Enforce that refresh token rotation is skipped and there is no refresh token returned from the refresh token response

  • Enforce a valid redirect URI that the OAuth 2.1 specification requires

  • Enforce SAML Redirect binding cannot be used or SAML requests and assertions are signed

Profile

A profile consists of several executors, which can realize a security profile like FAPI and OAuth 2.1. Profile can be configured by the Admin REST API (Admin Console) together with its executors. Three global profiles exist and they are configured in Keycloak by default with pre-configured executors compliant with the FAPI 1 Baseline, FAPI 1 Advanced, FAPI CIBA, FAPI 2 and OAuth 2.1 specifications. More details exist in the FAPI and OAuth 2.1 in the securing apps section.

Policy

A policy consists of several conditions and profiles. The policy can be adopted to clients satisfying all conditions of this policy. The policy refers several profiles and all executors of these profiles execute their task against the client that this policy is adopted to.

Configuration

Policies, profiles, conditions, executors can be configured by Admin REST API, which means also the Admin Console. To do so, there is a tab RealmRealm SettingsClient Policies , which means the administrator can have client policies per realm.

The Global Client Profiles are automatically available in each realm. However there are no client policies configured by default. This means that the administrator is always required to create any client policy if they want for example the clients of his realm to be FAPI compliant. Global profiles cannot be updated, but the administrator can easily use them as a template and create their own profile if they want to do some slight changes in the global profile configurations. There is JSON Editor available in the Admin Console, which simplifies the creation of new profile based on some global profile.

Backward Compatibility

Client Policies can replace Client Registration Policies described in the Client registration service from Securing applications Guides. However, Client Registration Policies also still co-exist. This means that for example during a Dynamic Client Registration request to create/update a client, both client policies and client registration policies are applied.

The current plans are for the Client Registration Policies feature to be removed and the existing client registration policies will be migrated into new client policies automatically.

Client Secret Rotation Example

See an example configuration for client secret rotation.

Using a vault to obtain secrets

Keycloak currently provides two out-of-the-box implementations of the Vault SPI: a plain-text file-based vault and Java KeyStore-based vault.

To obtain a secret from a vault rather than entering it directly, enter the following specially crafted string into the appropriate field:

${vault.key}

where the key is the name of the secret recognized by the vault.

To prevent secrets from leaking across realms, Keycloak combines the realm name with the key obtained from the vault expression. This method means that the key does not directly map to an entry in the vault but creates the final entry name according to the algorithm used to combine the key with the realm name. In case of the file-based vault, such combination reflects to a specific filename, for the Java KeyStore-based vault it’s a specific alias name.

You can obtain the secret from the vault in the following fields:

SMTP password

In the realm SMTP settings

LDAP bind credential

In the LDAP settings of LDAP-based user federation.

OIDC identity provider secret

In the Client Secret inside identity provider OpenID Connect Config

Key resolvers

All built-in providers support the configuration of key resolvers. A key resolver implements the algorithm or strategy for combining the realm name with the key, obtained from the ${vault.key} expression, into the final entry name used to retrieve the secret from the vault. Keycloak uses the keyResolvers property to configure the resolvers that the provider uses. The value is a comma-separated list of resolver names. An example of the configuration for the files-plaintext provider follows:

kc.[sh|bat] start --spi-vault-file-key-resolvers=REALM_UNDERSCORE_KEY,KEY_ONLY

The resolvers run in the same order you declare them in the configuration. For each resolver, Keycloak uses the last entry name the resolver produces, which combines the realm with the vault key to search for the vault’s secret. If Keycloak finds a secret, it returns the secret. If not, Keycloak uses the next resolver. This search continues until Keycloak finds a non-empty secret or runs out of resolvers. If Keycloak finds no secret, Keycloak returns an empty secret.

In the previous example, Keycloak uses the REALM_UNDERSCORE_KEY resolver first. If Keycloak finds an entry in the vault that using that resolver, Keycloak returns that entry. If not, Keycloak searches again using the KEY_ONLY resolver. If Keycloak finds an entry by using the KEY_ONLY resolver, Keycloak returns that entry. If Keycloak uses all resolvers, Keycloak returns an empty secret.

A list of the currently available resolvers follows:

Name Description

KEY_ONLY

Keycloak ignores the realm name and uses the key from the vault expression. Keycloak escapes occurrences of underscores in the key with another underscore character. For example, if the key is called my_secret, Keycloak searches for an entry in the vault named my__secret. This is to prevent conflicts with the default REALM_UNDERSCORE_KEY resolver.

REALM_UNDERSCORE_KEY

Keycloak combines the realm and key by using an underscore character. Keycloak escapes occurrences of underscores in the realm or key with another underscore character. For example, if the realm is called master_realm and the key is smtp_key, the combined key is master__realm_smtp__key.

REALM_FILESEPARATOR_KEY

Keycloak combines the realm and key by using the platform file separator character. The vault expression prohibits the use of characters that could cause path traversal, thus preventing access to secrets outside the corresponding realm.

FACTORY_PROVIDED

Keycloak combines the realm and key by using the vault provider factory’s VaultKeyResolver, allowing the creation of a custom key resolver by extending an existing factory and implementing the getFactoryResolver method.

If you have not configured a resolver for the built-in providers, Keycloak selects the REALM_UNDERSCORE_KEY.

Configuring auditing to track events

Keycloak includes a suite of auditing capabilities. You can record every login and administrator action and review those actions in the Admin Console. Keycloak also includes a Listener SPI that listens for events and can trigger actions. Examples of built-in listeners include log files and sending emails if an event occurs.

Auditing user events

You can record and view every event that affects users. Keycloak triggers login events for actions such as successful user login, a user entering an incorrect password, or a user account updating. By default, Keycloak does not store or display events in the Admin Console. Only the error events are logged to the Admin Console and the server’s log file.

Procedure

Use this procedure to start auditing user events.

  1. Click Realm settings in the menu.

  2. Click the Events tab.

  3. Click the User events settings tab.

  4. Toggle Save events to ON.

    User events settings

    User events settings

  5. Specify the length of time to store events in the Expiration field.

  6. Click Add saved types to see other events you can save.

    Add types

    Add types

  7. Click Add.

Click Clear user events when you want to delete all saved events.

Procedure

You can now view events.

  1. Click the Events tab in the menu.

    User events

    Login Events

  2. To filter events, click Search user event.

    Search user event

    Search user event

Event types

Login events:

Event Description

Login

A user logs in.

Register

A user registers.

Logout

A user logs out.

Code to Token

An application, or client, exchanges a code for a token.

Refresh Token

An application, or client, refreshes a token.

Brute force protection:

Event Description

User disabled by permanent lockout

Brute force protection disabled the user account permanently due to too many login failures.

User disabled by temporary lockout

Brute force protection disabled the user account temporarily due to too many login failures.

Identity Brokering:

Event Description

Federated identity link override

An existing Federated identity link was overridden

Federated identity link override error

Error occurred when trying to override an existing Federated identity link

OAuth:

Event Description

OAuth2 extension grant

OAuth2 grant was executed

OAuth2 extension grant error

Error occurred during OAuth2 grant execution

Account events:

Event Description

Social Link

A user account links to a social media provider.

Remove Social Link

The link from a social media account to a user account severs.

Update Email

An email address for an account changes.

Update Profile

A profile for an account changes.

Send Password Reset

Keycloak sends a password reset email.

Update Password (deprecated)

The password for an account changes.

Update Credential

The password or (time-based) one-time Password (OTP/TOTP) settings for an account changes.

Update TOTP (deprecated)

The Time-based One-time Password (TOTP) settings for an account changes.

Remove TOTP (deprecated)

Keycloak removes TOTP from an account.

Remove Credential

Keycloak removes a credential from an account.

Send Verify Email

Keycloak sends an email verification email.

Verify Email

Keycloak verifies the email address for an account.

Each event has a corresponding error event.

Event listener

Event listeners listen for events and perform actions based on that event. Keycloak includes two built-in listeners, the Logging Event Listener and Email Event Listener.

The logging event listener

When the Logging Event Listener is enabled, this listener writes to a log file when an error event occurs.

An example log message from a Logging Event Listener:

11:36:09,965 WARN  [org.keycloak.events] (default task-51) type=LOGIN_ERROR, realmId=master,
                    clientId=myapp,
                    userId=19aeb848-96fc-44f6-b0a3-59a17570d374, ipAddress=127.0.0.1,
                    error=invalid_user_credentials, auth_method=openid-connect, auth_type=code,
                    redirect_uri=http://localhost:8180/myapp,
                    code_id=b669da14-cdbb-41d0-b055-0810a0334607, username=admin

You can use the Logging Event Listener to protect against hacker bot attacks:

  1. Parse the log file for the LOGIN_ERROR event.

  2. Extract the IP Address of the failed login event.

  3. Send the IP address to an intrusion prevention software framework tool.

The Logging Event Listener logs events to the org.keycloak.events log category. Keycloak does not include debug log events in server logs, by default.

To include debug log events in server logs:

  1. Change the log level for the org.keycloak.events category

  2. Change the log level used by the Logging Event listener.

To change the log level used by the Logging Event listener, add the following:

bin/kc.[sh|bat] start --spi-events-listener-jboss-logging-success-level=info --spi-events-listener-jboss-logging-error-level=error

The valid values for log levels are debug, info, warn, error, and fatal.

The Email Event Listener

The Email Event Listener sends a message to the user’s email address when an event occurs and supports the following events:

  • Login Error.

  • Update Password.

  • Update Time-based One-time Password (TOTP).

  • Remove One-time Password (OTP).

  • Update Credential.

  • Remove Credential.

The following conditions need to be met for an email to be sent:

  • User has an email address.

  • User’s email address is marked as verified.

Prerequisites
  • Realm’s email settings configured.

Procedure

To enable the Email Listener:

  1. Click Realm settings in the menu.

  2. Click the Events tab.

  3. Click the Event listeners field.

  4. Select email.

    Event listeners

    Event listeners

You can exclude events by using the --spi-events-listener-email-exclude-events argument. For example:

kc.[sh|bat] --spi-events-listener-email-exclude-events=UPDATE_CREDENTIAL,REMOVE_CREDENTIAL

Auditing admin events

You can record all actions that are performed by an administrator in the Admin Console. The Admin Console performs administrative actions by invoking the Keycloak REST interface and Keycloak audits these REST invocations. You can view the resulting events in the Admin Console.

Procedure

Use this procedure to start auditing admin actions.

  1. Click Realm settings in the menu.

  2. Click the Events tab.

  3. Click the Admin events settings tab.

  4. Toggle Save events to ON.

    Keycloak displays the Include representation switch.

  5. Toggle Include representation to ON.

    The Include Representation switch includes JSON documents sent through the admin REST API so you can view the administrators actions.

    Admin events settings

    Admin events settings

  6. Click Save.

  7. To clear the database of stored actions, click Clear admin events.

Procedure

You can now view admin events.

  1. Click Events in the menu.

  2. Click the Admin events tab.

    Admin events

    Admin events

When the Include Representation switch is ON, it can lead to storing a lot of information in the database. You can set a maximum length of the representation by using the --spi-events-store-jpa-max-field-length argument. This setting is useful if you want to adhere to the underlying storage limitation. For example:

kc.[sh|bat] --spi-events-store-jpa-max-field-length=2500

Mitigating security threats

Security vulnerabilities exist in any authentication server. See the Internet Engineering Task Force’s (IETF) OAuth 2.0 Threat Model and the OAuth 2.0 Security Best Current Practice for more information.

Host

Keycloak uses the public hostname in several ways, such as within token issuer fields and URLs in password reset emails.

By default, the hostname derives from request headers. No validation exists to ensure a hostname is valid. If you are not using a load balancer, or proxy, with Keycloak to prevent invalid host headers, configure the acceptable hostnames.

The hostname’s Service Provider Interface (SPI) provides a way to configure the hostname for requests. You can use this built-in provider to set a fixed URL for frontend requests while allowing backend requests based on the request URI. If the built-in provider does not have the required capability, you can develop a customized provider.

Admin endpoints and Admin Console

Keycloak exposes the administrative REST API and the web console on the same port as non-administrative usage. Do not expose administrative endpoints externally if external access is not necessary.

Brute force attacks

A brute force attack attempts to guess a user’s password by trying to log in multiple times. Keycloak has brute force detection capabilities and can temporarily disable a user account if the number of login failures exceeds a specified threshold.

Keycloak disables brute force detection by default. Enable this feature to protect against brute force attacks.

Procedure

To enable this protection:

  1. Click Realm Settings in the menu

  2. Click the Security Defenses tab.

  3. Click the Brute Force Detection tab.

    Brute force detection

    brute force

Keycloak can deploy permanent lockout and temporary lockout actions when it detects an attack. Permanent lockout disables a user account until an administrator re-enables it. Temporary lockout disables a user account for a specific period of time. The time period that the account is disabled increases as the attack continues and subsequent failures reach multiples of Max Login Failures.

When a user is temporarily locked and attempts to log in, Keycloak displays the default Invalid username or password error message. This message is the same error message as the message displayed for an invalid username or invalid password to ensure the attacker is unaware the account is disabled.

Common Parameters

Name Description Default

Max Login Failures

The maximum number of login failures.

30 failures.

Quick Login Check Milliseconds

The minimum time between login attempts.

1000 milliseconds.

Minimum Quick Login Wait

The minimum time the user is disabled when login attempts are quicker than Quick Login Check Milliseconds.

1 minute.

Temporary Lockout Parameters

Name Description Default

Wait Increment

The time added to the time a user is temporarily disabled when the user’s login attempts exceed Max Login Failures.

1 minute.

Max Wait

The maximum time a user is temporarily disabled.

15 minutes.

Failure Reset Time

The time when the failure count resets. The timer runs from the last failed login. Make sure this number is always greater than Max wait; otherwise the effective wait time will never reach the value you have set to Max wait.

12 hours.

Temporary Lockout Algorithm

  1. On successful login

    1. Reset count

  2. On failed login

    1. If the time between this failure and the last failure is greater than Failure Reset Time

      1. Reset count

    2. Increment count

    3. Calculate wait according the brute force strategy defined (see below Strategies to set Wait Time).

    4. If wait equals is less than 0 and the time between this failure and the last failure is less than Quick Login Check Milliseconds, set wait to Minimum Quick Login Wait.

      1. Temporarily disable the user for the smallest of wait and Max Wait seconds

      2. Increment the temporary lockout counter

count does not increment when a temporarily disabled account commits a login failure.

Strategies to set Wait Time

Keycloak provides two strategies to calculate wait time: By multiples or Linear. By multiples is the first strategy introduced by Keycloak, so that is the default one.

By multiples strategy, wait time is incremented when the number (or count) of failures are multiples of Max Login Failure. For instance, if you set Max Login Failures to 5 and a Wait Increment to 30 seconds, the effective time that an account is disabled after several failed authentication attempts will be:

Number of Failures

Wait Increment

Max Login Failures

Effective Wait Time

1

30

5

0

2

30

5

0

3

30

5

0

4

30

5

0

5

30

5

30

6

30

5

30

7

30

5

30

8

30

5

30

9

30

5

30

10

30

5

60

At the fifth failed attempt of the Effective Wait Time, the account is disabled for 30 seconds. After reaching the next multiple of Max Login Failures, in this case 10, the time increases from 30 to 60 seconds.

The By multiple strategy uses the following formula to calculate wait time: Wait Increment * (count / Max Login Failures). The division is an integer division rounded down to a whole number.

For linear strategy, wait time is incremented when the number (or count) of failures equals or is greater than Max Login Failure. For instance, if you have set Max Login Failures to 5 and a Wait Increment to`30` seconds, the effective time that an account is disabled after several failed authentication attempts will be:

Number of Failures

Wait Increment

Max Login Failures

Effective Wait Time

1

30

5

0

2

30

5

0

3

30

5

0

4

30

5

0

5

30

5

30

6

30

5

60

7

30

5

90

8

30

5

120

9

30

5

150

10

30

5

180

At the fifth failed attempt for the Effective Wait Time, the account is disabled for 30 seconds. Each new failed attempt increases wait time.

The linear strategy uses the following formula to calculate wait time: Wait Increment * (1 + count - Max Login Failures).

Permanent Lockout Parameters

Name Description Default

Max temporary Lockouts

The maximum number of temporary lockouts permitted before permanent lockout occurs.

0

Permanent Lockout Flow

  1. Follow temporary lockout flow

  2. If temporary lockout counter exceeds Max temporary lockouts

    1. Permanently disable user

When Keycloak disables a user, the user cannot log in until an administrator enables the user. Enabling an account resets the count.

The downside of Keycloak brute force detection is that the server becomes vulnerable to denial of service attacks. When implementing a denial of service attack, an attacker can attempt to log in by guessing passwords for any accounts it knows and eventually causing Keycloak to disable the accounts.

Consider using intrusion prevention software (IPS). Keycloak logs every login failure and client IP address failure. You can point the IPS to the Keycloak server’s log file, and the IPS can modify firewalls to block connections from these IP addresses.

Password policies

Ensure you have a complex password policy to force users to choose complex passwords. See the Password Policies chapter for more information. Prevent password guessing by setting up the Keycloak server to use one-time-passwords.

Read-only user attributes

Typical users who are stored in Keycloak have various attributes related to their user profiles. Such attributes include email, firstName or lastName. However users may also have attributes, which are not typical profile data, but rather metadata. The metadata attributes usually should be read-only for the users and the typical users never should have a way to update those attributes from the Keycloak user interface or Account REST API. Some of the attributes should be even read-only for the administrators when creating or updating user with the Admin REST API.

The metadata attributes are usually attributes from those groups:

  • Various links or metadata related to the user storage providers. For example in case of the LDAP integration, the LDAP_ID attribute contains the ID of the user in the LDAP server.

  • Metadata provisioned by User Storage. For example createdTimestamp provisioned from the LDAP should be always read-only by user or administrator.

  • Metadata related to various authenticators. For example KERBEROS_PRINCIPAL attribute can contain the kerberos principal name of the particular user. Similarly attribute usercertificate can contain metadata related to binding the user with the data from the X.509 certificate, which is used typically when X.509 certificate authentication is enabled.

  • Metadata related to the identificator of users by the applications/clients. For example saml.persistent.name.id.for.my_app can contain SAML NameID, which will be used by the client application my_app as the identifier of the user.

  • Metadata related to the authorization policies, which are used for the attribute based access control (ABAC). Values of those attributes may be used for the authorization decisions. Hence it is important that those attributes cannot be updated by the users.

From the long term perspective, Keycloak will have a proper User Profile SPI, which will allow fine-grained configuration of every user attribute. Currently this capability is not fully available yet. So Keycloak has the internal list of user attributes, which are read-only for the users and read-only for the administrators configured at the server level.

This is the list of the read-only attributes, which are used internally by the Keycloak default providers and functionalities and hence are always read-only:

  • For users: KERBEROS_PRINCIPAL, LDAP_ID, LDAP_ENTRY_DN, CREATED_TIMESTAMP, createTimestamp, modifyTimestamp, userCertificate, saml.persistent.name.id.for.*, ENABLED, EMAIL_VERIFIED

  • For administrators: KERBEROS_PRINCIPAL, LDAP_ID, LDAP_ENTRY_DN, CREATED_TIMESTAMP, createTimestamp, modifyTimestamp

System administrators have a way to add additional attributes to this list. The configuration is currently available at the server level.

You can add this configuration by using the spi-user-profile-declarative-user-profile-read-only-attributes and `spi-user-profile-declarative-user-profile-admin-read-only-attributes options. For example:

kc.[sh|bat] start --spi-user-profile-declarative-user-profile-read-only-attributes=foo,bar*

For this example, users and administrators would not be able to update attribute foo. Users would not be able to edit any attributes starting with the bar. So for example bar or barrier. Configuration is case-insensitive, so attributes like FOO or BarRier will be denied as well for this example. The wildcard character * is supported only at the end of the attribute name, so the administrator can effectively deny all the attributes starting with the specified character. The * in the middle of the attribute is considered as a normal character.

Validate user attributes

With the functionality in Managing user attributes, administrators can restrict the data users enter for attributes, for example, in user registration or the account console.

Administrators should not allow unmanaged attributes for users to prevent attackers adding an unlimited number of attributes. Attributes should have a validation that restricts the amount of data entered by attackers.

When using regular expressions to validate user attributes, avoid regular expressions that use an excessive amount of memory or CPU. See OWASP’s Regular expression Denial of Service for details.

Clickjacking

Clickjacking is a technique of tricking users into clicking on a user interface element different from what users perceive. A malicious site loads the target site in a transparent iFrame, overlaid on top of a set of dummy buttons placed directly under important buttons on the target site. When a user clicks a visible button, they are clicking a button on the hidden page. An attacker can steal a user’s authentication credentials and access their resources by using this method.

By default, every response by Keycloak sets some specific HTTP headers that can prevent this from happening. Specifically, it sets X-Frame-Options and Content-Security-Policy. You should take a look at the definition of both of these headers as there is a lot of fine-grain browser access you can control.

Procedure

In the Admin Console, you can specify the values of the X-Frame-Options and Content-Security-Policy headers.

  1. Click the Realm Settings menu item.

  2. Click the Security Defenses tab.

    Security Defenses

    Security Defenses

By default, Keycloak only sets up a same-origin policy for iframes.

SSL/HTTPS requirement

OAuth 2.0/OpenID Connect uses access tokens for security. Attackers can scan your network for access tokens and use them to perform malicious operations for which the token has permission. This attack is known as a man-in-the-middle attack. Use SSL/HTTPS for communication between the Keycloak auth server and the clients Keycloak secures to prevent man-in-the-middle attacks.

Keycloak has three modes for SSL/HTTPS. SSL is complex to set up, so Keycloak allows non-HTTPS communication over private IP addresses such as localhost, 192.168.x.x, and other private IP addresses. In production, ensure you enable SSL and SSL is compulsory for all operations.

On the adapter/client-side, you can disable the SSL trust manager. The trust manager ensures the client’s identity that Keycloak communicates with is valid and ensures the DNS domain name against the server’s certificate. In production, ensure that each of your client adapters uses a truststore to prevent DNS man-in-the-middle attacks.

CSRF attacks

A Cross-site request forgery (CSRF) attack uses HTTP requests from users that websites have already authenticated. Any site using cookie-based authentication is vulnerable to CSRF attacks. You can mitigate these attacks by matching a state cookie against a posted form or query parameter.

The OAuth 2.0 login specification requires that a state cookie matches against a transmitted state parameter. Keycloak fully implements this part of the specification, so all logins are protected.

The Keycloak Admin Console is a JavaScript/HTML5 application that makes REST calls to the backend Keycloak admin REST API. These calls all require bearer token authentication and consist of JavaScript Ajax calls, so CSRF is impossible. You can configure the admin REST API to validate the CORS origins.

The Account Console in Keycloak can be vulnerable to CSRF. To prevent CSRF attacks, Keycloak sets a state cookie and embeds the value of this cookie in hidden form fields or query parameters within action links. Keycloak checks the query/form parameter against the state cookie to verify that the same user made the call.

Unspecific redirect URIs

Make your registered redirect URIs as specific as feasible. Registering vague redirect URIs for Authorization Code Flows can allow malicious clients to impersonate another client with broader access. Impersonation can happen if two clients live under the same domain, for example.

You can use secure redirect uris enforcer executor for your realm. The result makes sure that client administrators are able to register only clients with specific redirect-uris matching various requirements such as requiring that a URL cannot have wildcards in the context path or can be limited to specified permitted domains. See Client Policies for details about how to configure client policies with a specific executor.

FAPI compliance

To make sure that Keycloak server will validate your client to be more secure and FAPI compliant, you can configure client policies for the FAPI support. FAPI details are described in the securing apps section. Among other things, this ensures some security best practices described above like SSL required for clients, secure redirect URI used and more of similar best practices.

OAuth 2.1 compliance

To make sure that Keycloak server will validate your client to be more secure and OAuth 2.1 compliant, you can configure client policies for the OAuth 2.1 support. OAuth 2.1 details are described in the securing apps section.

Compromised access and refresh tokens

Keycloak includes several actions to prevent malicious actors from stealing access tokens and refresh tokens. The crucial action is to enforce SSL/HTTPS communication between Keycloak and its clients and applications. Keycloak does not enable SSL by default.

Another action to mitigate damage from leaked access tokens is to shorten the token’s lifespans. You can specify token lifespans within the timeouts page. Short lifespans for access tokens force clients and applications to refresh their access tokens after a short time. If an admin detects a leak, the admin can log out all user sessions to invalidate these refresh tokens or set up a revocation policy.

Ensure refresh tokens always stay private to the client and are never transmitted.

You can mitigate damage from leaked access tokens and refresh tokens by issuing these tokens as holder-of-key tokens. See OAuth 2.0 Mutual TLS Client Certificate Bound Access Token for more information.

If an access token or refresh token is compromised, access the Admin Console and push a not-before revocation policy to all applications. Pushing a not-before policy ensures that any tokens issued before that time become invalid. Pushing a new not-before policy ensures that applications must download new public keys from Keycloak and mitigate damage from a compromised realm signing key. See the keys chapter for more information.

You can disable specific applications, clients, or users if they are compromised.

Compromised authorization code

For the OIDC Auth Code Flow, Keycloak generates a cryptographically strong random value for its authorization codes. An authorization code is used only once to obtain an access token.

On the timeouts page in the Admin Console, you can specify the length of time an authorization code is valid. Ensure that the length of time is less than 10 seconds, which is long enough for a client to request a token from the code.

You can also defend against leaked authorization codes by applying Proof Key for Code Exchange (PKCE) to clients.

Open redirectors

An open redirector is an endpoint using a parameter to automatically redirect a user agent to the location specified by the parameter value without validation. An attacker can use the end-user authorization endpoint and the redirect URI parameter to use the authorization server as an open redirector, using a user’s trust in an authorization server to launch a phishing attack.

Keycloak requires that all registered applications and clients register at least one redirection URI pattern. When a client requests that Keycloak performs a redirect, Keycloak checks the redirect URI against the list of valid registered URI patterns. Clients and applications must register as specific a URI pattern as possible to mitigate open redirector attacks.

If an application requires a non http(s) custom scheme, it should be an explicit part of the validation pattern (for example custom:/app/*). For security reasons a general pattern like * does not cover non http(s) schemes.

By using Client Policies, an administrator can make sure that clients cannot register open redirect URLs such as *.

Password database compromised

Keycloak does not store passwords in raw text but as hashed text, using the PBKDF2-HMAC-SHA512 message digest algorithm. Keycloak performs 210,000 hashing iterations, the number of iterations recommended by the security community. This number of hashing iterations can adversely affect performance as PBKDF2 hashing uses a significant amount of CPU resources.

Limiting scope

By default, new client applications have unlimited role scope mappings. Every access token for that client contains all permissions that the user has. If an attacker compromises the client and obtains the client’s access tokens, each system that the user can access is compromised.

Limit the roles of an access token by using the Scope menu for each client. Alternatively, you can set role scope mappings at the Client Scope level and assign Client Scopes to your client by using the Client Scope menu.

Limit token audience

In environments with low levels of trust among services, limit the audiences on the token. See the OAuth2 Threat Model and the Audience Support section for more information.

Limit Authentication Sessions

Authentication sessions track the state of the authentication. The text below is applicable regardless of the source flow.

This section describes deployments that use the Infinispan provider for authentication sessions.

Authentication session is internally stored as RootAuthenticationSessionEntity. Each RootAuthenticationSessionEntity can have multiple authentication sub-sessions stored within the RootAuthenticationSessionEntity as a collection of AuthenticationSessionEntity objects. Keycloak stores authentication sessions in a dedicated Infinispan cache. The number of AuthenticationSessionEntity per RootAuthenticationSessionEntity contributes to the size of each cache entry. Total memory footprint of authentication session cache is determined by the number of stored RootAuthenticationSessionEntity and by the number of AuthenticationSessionEntity within each RootAuthenticationSessionEntity.

The number of maintained RootAuthenticationSessionEntity objects corresponds to the number of unfinished login flows from the browser. To keep the number of RootAuthenticationSessionEntity under control, using an advanced firewall control to limit ingress network traffic is recommended.

Higher memory usage may occur for deployments where there are many active RootAuthenticationSessionEntity with a lot of AuthenticationSessionEntity. If the load balancer does not support or is not configured for session stickiness, the load over network in a cluster can increase significantly. The reason for this load is that each request that lands on a node that does not own the appropriate authentication session needs to retrieve and update the authentication session record in the owner node which involves a separate network transmission for both the retrieval and the storage.

The maximum number of AuthenticationSessionEntity per RootAuthenticationSessionEntity can be configured in authenticationSessions SPI by setting property authSessionsLimit. The default value is set to 300 AuthenticationSessionEntity per a RootAuthenticationSessionEntity. When this limit is reached, the oldest authentication sub-session will be removed after a new authentication session request.

The following example shows how to limit the number of active AuthenticationSessionEntity per a RootAuthenticationSessionEntity to 100.

bin/kc.[sh|bat] start --spi-authentication-sessions-infinispan-auth-sessions-limit=100

The equivalent command for the new map storage:

bin/kc.[sh|bat] start --spi-authentication-sessions-map-auth-sessions-limit=100

SQL injection attacks

Currently, Keycloak has no known SQL injection vulnerabilities.

Account Console

Keycloak users can manage their accounts through the Account Console. They can configure their profiles, add two-factor authentication, include identity provider accounts, and oversee device activity.

Additional resources
  • The Account Console can be configured in terms of appearance and language preferences. An example is adding additional attributes to the Personal info page. For more information, see the Server Developer Guide.

Accessing the Account Console

Procedure
  1. Make note of the realm name and IP address for the Keycloak server where your account exists.

  2. In a web browser, enter a URL in this format: server-root/realms/{realm-name}/account.

  3. Enter your login name and password.

Account Console

Account Console

Configuring ways to sign in

You can sign in to this console using basic authentication (a login name and password) or two-factor authentication. For two-factor authentication, use one of the following procedures.

Two-factor authentication with OTP

Prerequisites
  • OTP is a valid authentication mechanism for your realm.

Procedure
  1. Click Account security in the menu.

  2. Click Signing in.

  3. Click Set up Authenticator application.

    Signing in

    Signing in

  4. Follow the directions that appear on the screen to use your mobile device as your OTP generator.

  5. Scan the QR code in the screen shot into the OTP generator on your mobile device.

  6. Log out and log in again.

  7. Respond to the prompt by entering an OTP that is provided on your mobile device.

Two-factor authentication with WebAuthn

Prerequisites
  • WebAuthn is a valid two-factor authentication mechanism for your realm. Please follow the WebAuthn section for more details.

Procedure
  1. Click Account Security in the menu.

  2. Click Signing In.

  3. Click Set up a Passkey.

    Signing In

    Signing in with a Passkey

  4. Prepare your Passkey. How you prepare this key depends on the type of Passkey you use. For example, for a USB based Yubikey, you may need to put your key into the USB port on your laptop.

  5. Click Register to register your Passkey.

  6. Log out and log in again.

  7. Assuming authentication flow was correctly set, a message appears asking you to authenticate with your Passkey as second factor.

Passwordless authentication with WebAuthn

Prerequisites
Procedure
  1. Click Account Security in the menu.

  2. Click Signing In.

  3. Click Set up a Passkey in the Passwordless section.

    Signing In

    Signing in with a Passkey

  4. Prepare your Passkey. How you prepare this key depends on the type of Passkey you use. For example, for a USB based Yubikey, you may need to put your key into the USB port on your laptop.

  5. Click Register to register your Passkey.

  6. Log out and log in again.

  7. Assuming authentication flow was correctly set, a message appears asking you to authenticate with your Passkey as second factor. You no longer need to provide your password to log in.

Viewing device activity

You can view the devices that are logged in to your account.

Procedure
  1. Click Account security in the menu.

  2. Click Device activity.

  3. Log out a device if it looks suspicious.

Devices

Devices

Adding an identity provider account

You can link your account with an identity broker. This option is often used to link social provider accounts.

Procedure
  1. Log into the Admin Console.

  2. Click Identity providers in the menu.

  3. Select a provider and complete the fields.

  4. Return to the Account Console.

  5. Click Account security in the menu.

  6. Click Linked accounts.

The identity provider you added appears in this page.

Linked Accounts

Linked Accounts

Accessing other applications

The Applications menu item shows users which applications you can access. In this case, only the Account Console is available.

Applications

Applications

Viewing group memberships

You can view the groups you are associated with by clicking the Groups menu. If you select Direct membership checkbox, you will see only the groups you are direct associated with.

Prerequisites
  • You need to have the view-groups account role for being able to view Groups menu.

View group memberships

View group memberships

Admin CLI

With Keycloak, you can perform administration tasks from the command-line interface (CLI) by using the Admin CLI command-line tool.

Installing the Admin CLI

Keycloak packages the Admin CLI server distribution with the execution scripts in the bin directory.

The Linux script is called kcadm.sh, and the script for Windows is called kcadm.bat. Add the Keycloak server directory to your PATH to use the client from any location on your file system.

For example:

  • Linux:

    $ export PATH=$PATH:$KEYCLOAK_HOME/bin
    $ kcadm.sh
  • Windows:

    c:\> set PATH=%PATH%;%KEYCLOAK_HOME%\bin
    c:\> kcadm

You must set the KEYCLOAK_HOME environment variable to the path where you extracted the Keycloak Server distribution.

To avoid repetition, the rest of this document only uses Windows examples in places where the CLI differences are more than just in the kcadm command name.

Using the Admin CLI

The Admin CLI makes HTTP requests to Admin REST endpoints. Access to the Admin REST endpoints requires authentication.

Consult the Admin REST API documentation for details about JSON attributes for specific endpoints.

  1. Start an authenticated session by logging in. You can now perform create, read, update, and delete (CRUD) operations.

    For example:

    • Linux:

      $ kcadm.sh config credentials --server http://localhost:8080 --realm demo --user admin --client admin
      $ kcadm.sh create realms -s realm=demorealm -s enabled=true -o
      $ CID=$(kcadm.sh create clients -r demorealm -s clientId=my_client -s 'redirectUris=["http://localhost:8980/myapp/*"]' -i)
      $ kcadm.sh get clients/$CID/installation/providers/keycloak-oidc-keycloak-json
    • Windows:

      c:\> kcadm config credentials --server http://localhost:8080 --realm demo --user admin --client admin
      c:\> kcadm create realms -s realm=demorealm -s enabled=true -o
      c:\> kcadm create clients -r demorealm -s clientId=my_client -s "redirectUris=[\"http://localhost:8980/myapp/*\"]" -i > clientid.txt
      c:\> set /p CID=<clientid.txt
      c:\> kcadm get clients/%CID%/installation/providers/keycloak-oidc-keycloak-json
  2. In a production environment, access Keycloak by using https: to avoid exposing tokens. If a trusted certificate authority, included in Java’s default certificate truststore, has not issued a server’s certificate, prepare a truststore.jks file and instruct the Admin CLI to use it.

    For example:

    • Linux:

      $ kcadm.sh config truststore --trustpass $PASSWORD ~/.keycloak/truststore.jks
    • Windows:

      c:\> kcadm config truststore --trustpass %PASSWORD% %HOMEPATH%\.keycloak\truststore.jks

Sensitive Options

Sensitive values, such as passwords, may be specified as command options. That is generally not recommended. There are also mechanisms by which you can be prompted for the sensitive value - by either omitting the option or providing a value or -. Finally all will have a corresponding env variable that can be used instead - check the help of the command you are running to see all possible options.

Authenticating

When you log in with the Admin CLI, you specify:

  • A server endpoint URL

  • A realm

  • A user name

Another option is to specify a clientId only, which creates a unique service account for you to use.

When you log in using a user name, use a password for the specified user. When you log in using a clientId, you need the client secret only, not the user password. You can also use the Signed JWT rather than the client secret.

Ensure the account used for the session has the proper permissions to invoke Admin REST API operations. For example, the realm-admin role of the realm-management client can administer the realm of the user.

Two primary mechanisms are available for authentication. One mechanism uses kcadm config credentials to start an authenticated session.

$ kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin

This mechanism maintains an authenticated session between the kcadm command inv