By default, a client has "roles" scope as "default" so a user will have all affected clients roles in its tokens. Learn how and why you must restrict roles in tokens by turning off "full scopes allowed" switch.
Keycloak now supports Authentication Context Class Reference parameter for different Level of Authentication.
It means that you can define different level of authentication in a single flow.
When you add external identity providers to your Keycloak Realm, it retrieves tokens from your identity
providers, then sends back to your application a new access_token from your Keycloak Realm.
Keycloak generates a session on each user login. Those sessions are replicated in infinispan caches.
Sometimes, we only need a token, not a session. This is how to do it.
At please-open.it we use Keepass for passwords management. This simple and
open source solution gives us entire satisfaction, only with a shared file on our internal cloud.
We tried to improve a lot the user experience by creating the simpliest passwords manager application.
Action tokens are a particular type of token that allows unauthenticated users to perform some limited and
predefined actions.
In this article we will see how to use them to create authenticated download links with a simple and short PHP
script intended to run on shared web hosting.
A link between an LDAP directory to Keycloak could be considered as a "must have". Many times, companies want
to connect their directory to a Keycloak.
Keycloak could be considered as an "OpenId Connect proxy" between webapps and an Active Directory.
Keycloak can retrieve users from LDAP, synchronize groups, roles or custom attributes. Let's have a complete
tour of what you can do with this connector.
Authorization code grant (also named "auth_code") is one of the most popular authentication method on the web.
Every oauth2 provider implements this flow which is the best for web authentication. Facebook, Google,
Twitter, Linkedin... all of them use it (or partially, we will explain why).
OpenVPN allows usage of PAM modules. By using an oauth2 client PAM module and
password grant, we can use our own SSO (Keycloak) to authenticate users on a VPN infrastructure.
For Oauth2 providers which do not allow Password Grant, we will use a "token authentication" by providing a
valid token instead of a password. Code and demo with Google as authentication provider.