Are you correctly authenticated ?



Restrict roles to a subset through the "full scope allowed" switch

By default, a client has "roles" scope as "default" so a user will have all affected clients roles in its tokens. Learn how and why you must restrict roles in tokens by turning off "full scopes allowed" switch.

Posted on Mon 2 December 2024


Nocode event-listener in Keycloak

Create your own nocode event-listener for Keycloak with n8n.

Posted on Wed 20 November 2024


LDAP Bind proxy : login to Keycloak with LDAP

How to spawn a simple bind LDAP proxy for keycloak OIDC password grant in a nutshell.

Posted on Mon 16 September 2024


GMail extension : create a gitlab issue

With Google Apps Script, we created a gmail extension that interacts with Gitlab

Posted on Mon 09 September 2024


Metrics in Keycloak : add yours

Learn how to enrich native metrics in Keycloak with Micrometer

Posted on Mon 08 August 2024


An authenticator to check your Keycloak version

Introduction to authenticator development : display an alert message during login process if Keycloak is not up to date

Posted on Thu 07 March 2024


Use openid connect authentication in n8n workflow

Authenticate users in n8n workflow with openid connect, example with Keycloak.

Posted on Wed 29 November 2023


Our vision about authorizations

After years of consulting, we created our own authorization platform that perfectly fits with all needs we have seen.

Posted on Mon 06 November 2023


Keycloak config checker

Check bad configuration in Keycloak, connected to your monitoring.

Posted on Thu 28 September 2023


Deploy PostgREST on Clever-Cloud

Postgrest is an API generator from PostgreSQL databases, let's see how we can deploy and use it on Clever-Cloud.

Posted on Fri 18 August 2023


Keycloak as SSO for Airtable

Use your own Keycloak as SSO for Airtable.

Only available for the "enterprise" plan, you can add your own SSO to your Airtable organization. Lets take a look how to integrate Keycloak.

Posted on Fri 10 March 2023


ACR (Authentication Context Class Reference) and LOA (Level Of Authentication) with Keycloak, support in oidc-bash

Keycloak now supports Authentication Context Class Reference parameter for different Level of Authentication. It means that you can define different level of authentication in a single flow.

Posted on Wed 8 November 2022


A bash client for the CIBA OpenId Connect protocol

A little tool written in bash for understanding CIBA authentication protocol.

Posted on Wed 26 October 2022


Retrieve external IDP tokens in Keycloak

When you add external identity providers to your Keycloak Realm, it retrieves tokens from your identity providers, then sends back to your application a new access_token from your Keycloak Realm.

What about the original token ?

Posted on We 20 October 2022


Postgres Oauth2 authentication

How and why we added a module for postgres authentication that supports oauth2. This PAM module is also usable for all Unix authentication methods.

Posted on Thu 01 September 2022


Transient sessions in Keycloak : save your cache performances !

Keycloak generates a session on each user login. Those sessions are replicated in infinispan caches. Sometimes, we only need a token, not a session. This is how to do it.

Posted on We 16 March 2022


Keycloak.X in Kubernetes : deploy a cluster

Keycloak.x will become the reference soon.

According to the Blog Post, Keycloak 18 will not support Wildfly, after that no wildfly version... Now it is time to migrate !

We are still waiting for a Kubernetes operator with Keycloak.X, in this post we will see how to build your own cluster based on Keycloak.X 16.1.0

Posted on We 05 January 2022


Keepass in the system tray with quick access

At please-open.it we use Keepass for passwords management. This simple and open source solution gives us entire satisfaction, only with a shared file on our internal cloud.

We tried to improve a lot the user experience by creating the simpliest passwords manager application.

Posted on Mo 03 January 2022


UMA 2.0 from the begining : how to use it with bash

UMA 2.0 is known as a delegation of authorizations standard. Keycloak is fully compatible with UMA 2.0.

With a bash tool developped by please-open.it, let's see how to use UMA 2.0

This article explains what is UMA 2.0 with an example using our new bash tool : uma-bash-client.sh

Posted on Fr 13 August 2021


Device code flow in Keycloak

Keycloak 13.0 now supports device code flow. Lets take a tour of how to use it.

Posted on Thr 06 May 2021


Action token for external user file download management

Action tokens are a particular type of token that allows unauthenticated users to perform some limited and predefined actions.

In this article we will see how to use them to create authenticated download links with a simple and short PHP script intended to run on shared web hosting.

Posted on Fri 09 April 2021


Authentication - feel the user experience

There are several methods for authentication : certificates, passwords, pincode, webauthn, One Time Password...

Choosing an authentication method is not a technical choice : it has hudge impacts on security but also on User eXperience.

This article shows several demos, built with Keycloak, and let you have a perception of User eXperience for each authentication method.

Posted on Fri 02 April 2021


Action token, an idea for newsletter authentication

Action tokens are a particular type of token that allows unauthenticated users to perform some limited and predefined actions.

Usual use case are :

  • E-mail confirmation
  • Credentials reset
  • Execute required action(s)
  • and any action relevant with the flow and your use cases...

This article explains what is an action token and how to use it to authenticate users from a link inside a newsletter

Posted on Fri 08 January 2021


Keycloak.X as a service

A year ago, Keycloak Team introduced Keycloak.X distribution : https://www.keycloak.org/2019/10/keycloak-x

We were very excited about this project :

  • Lighter
  • Easier to scale
  • Continuous delivery
  • and more...

Now, our infrastructure has migrated to Keycloak.X. Any (free) account on our plateform is now running on Keycloak.X distribution.

Posted on Mon 22 December 2020


LDAP integration on Keycloak

A link between an LDAP directory to Keycloak could be considered as a "must have". Many times, companies want to connect their directory to a Keycloak. Keycloak could be considered as an "OpenId Connect proxy" between webapps and an Active Directory.

Keycloak can retrieve users from LDAP, synchronize groups, roles or custom attributes. Let's have a complete tour of what you can do with this connector.

Posted on Mon 27 September 2020


AUTHORIZATION CODE GRANT : HOW IT WORKS, AND TRY IT !

Authorization code grant (also named "auth_code") is one of the most popular authentication method on the web. Every oauth2 provider implements this flow which is the best for web authentication. Facebook, Google, Twitter, Linkedin... all of them use it (or partially, we will explain why).

Posted on Wed 02 July 2020


(fr) Autoriser les accès à mon API à des services tiers

Autoriser les accès à mon API à des services tiers :

  • définir des rôles par pattern d'API (Java Spring)
  • attribuer des rôles aux utilisateurs
  • définir des scopes : données et rôles associés
  • exposer votre API : donner un Client au développeur
  • le consentement de l'utilisateur "Consent Screen"
  • la révocation du consentement utilisateur
Créez un compte utilisateur pour suivre les démos (email optionnel) : https://webinaire.please-open.it
Une seconde implémentation, par un client externe : https://www.mathieupassenaud.fr/webinaire
serveur oauth : app.please-open.it/auth
realmid : 122aa842-0cf0-48e6-a5bc-cca00254a9bb

Posted on Wed 23 April 2020


OpenVPN and Keycloak : Link your VPN Infrastructure with your SSO

OpenVPN allows usage of PAM modules. By using an oauth2 client PAM module and password grant, we can use our own SSO (Keycloak) to authenticate users on a VPN infrastructure.
For Oauth2 providers which do not allow Password Grant, we will use a "token authentication" by providing a valid token instead of a password. Code and demo with Google as authentication provider.

Posted on Thu 2 April 2020


(fr) Oauth2 pour les ops

Oauth2 dans le monde des ops :

  • mise en place d'un realm keycloak : clients, flows, rôles
  • intégration sur des apps avec support oauth2 : démo avec Grafana
  • Ajouter un support oauth2 sur une app : proxy d'authentification en LUA avec Nginx pour jenkins (authentification par headers)
  • Proxy d'authentification en LUA avec vérification des droits (introspection) pour la mise à disposition de fichiers
  • authentification SSH/SFTP utilisant Direct Access Grant et un module PAM
  • Aller plus loin : Mappers dans Keycloak, comment personnaliser les infos et les tokens

Posted on Wed 25 March 2020

Let's Get In Touch!


Any question ? Want more information ? Follow us on twitter or you can reach out to us via email.