Tuesday, 3 January 2017

Keycloak 2.5.0.Final Released

Keycloak 2.5.0.Final has just been released.

There are no changes since 2.5.0.CR1. To download the release go to the Keycloak homepage. Before you upgrade refer to the migration guide

Thursday, 22 December 2016

Keycloak 2.5.0.CR1 Released

We've released Keycloak 2.5.0.CR1 just in time for Christmas. This release mainly focuses on bug fixing and we've resolved an impressive 165 issues in this release! Due to Christmas holidays the final release won't be until early January.

Highlights of the release includes:

  • User Storage SPI - We've removed the old User Federation SPI in this release. If you have custom user federation providers you will need to migrate them to the User Storage SPI.
  • HMAC Key Provider - We've added a secret key provider to be able to do HMAC signatures. These are faster than RSA signatures and are used for signing cookies.
  • Ability to disable Impersonation - If you don't want to allow admins to be able to impersonate users you can now fully disable this feature.

This is the second to last release in the Keycloak 2 series. Expect one more round of bug fixing and a 2.5.1.Final release towards the end of January. After that we'll get started on Keycloak 3!

Plans for Keycloak 3 are not finalized, but some things we're hoping to do next year include:

  • Multi data center support - It's kinda possible at the moment, but we are planning to do a lot of improvements in this area
  • Authentication SPI - We're aiming to cleanup the authentication SPI and may also be adding more built-in authentication capabilities
  • Validation on Admin Endpoints and Console - There's currently a lack of validation on the admin endpoints which could result in bad configuration
  • Profile SPI - Single configurable and extensible place to define validation for user validation for self-registration, account management and the admin console
  • New Account Management - New modern and easier to use account management console
  • Testing and CI - More automated testing, better test coverage and more Jenkins!

I'd like to wish everyone a merry christmas and a happy new year on behalf of the Keycloak team. We're looking forward to a adding loads more features and improvements to Keycloak in 2017!

For the full list of issues resolved check out JIRA and to download the release go to the Keycloak homepage.

Friday, 2 December 2016

Considering removing Mongo from Keycloak

We are considering removing Mongo support from Keycloak in 3.x. The reasons behind it is that there are a fair few issues in the current implementation, especially around consistency due to lack of transaction support in Mongo and often we update multiple documents. In many cases we rely on transactions to rollback to prevent partial updates, but this obviously doesn't work in Mongo.

With the fact that Mongo is already partially broken and the constant maintenance involved we're considering removing it and rather focus purely on the relational database back-end.

Another point to make is that we are not considering supporting Mongo in the supported version of Keycloak (Red Hat Single Sign-On). So we are never able to provide the same level of care and attention to it as we can for relational databases.

If we do decide to remove it we would make sure we provide a seamless and easy option to migrate from Mongo to a relational database!

I would like to gather some feedback from the community before doing anything. So please vote on the following Doodle:


Also, comments on this post is more than welcome!

I'll end with a comment - Time spent by core developer on maintaining Mongo could be better spent on awesome new features, testing and bug fixing!

Thursday, 24 November 2016

Keycloak 2.4.0.Final Released

Keycloak 2.4.0.Final has just been released.

There are no changes since 2.4.0.CR1. To download the release go to the Keycloak homepage. Before you upgrade refer to the migration guide

Monday, 21 November 2016

Keycloak 2.4.0.CR1 Released

We've just released Keycloak 2.4.0.CR1. This release is mainly a maintenance release and we've done a lot of minor improvements and bug fixes.

For the full list of issues resolved check out JIRA and to download the release go to the Keycloak homepage.

Monday, 31 October 2016

Registering new clients from shell

Keycloak comes with a powerful web admin console that is a primary tool for configuring everything in Keycloak. As powerful as it is it does not lend itself to scripting. Automation requires the ability to script the admin tasks, and to facilitate that we've been working on CLI tools that would be friendly for automation as well as interactive shell use.

The first of the CLI tools - Client Registration CLI - is now available as part of Keycloak distribution. It allows creating and updating new clients - operations you would otherwise have to do in Web Admin Console under Clients section.

Client Registration CLI can be used by application developers that integrate their applications with Keycloak server, and don't necessarily have administrative privileges on the server itself. That is possible by way of special client creation tokens called Initial Access Tokens that can be issued by realm administrator, and distributed to developers for them to self-service. In that case developer doesn't even need a user account, Initial Access Token is their means of authenticating to perform client creation operations.

The Client Registration CLI can also be used by applications and services to dynamically self-register themselves. This makes it possible to automate the creation and management of client configuration by applications and services themselves.

In theory such self-service can be performed by using generic tools like curl or wget, but in reality the mechanics of handling the tokens requires writing code or shell script and debugging it before it starts to work properly. Client Registration CLI takes care of all of that. It can maintain state between invocations, it can handle tokens for you, and it's very easy to use.

You can find the tool in your KEYCLOAK/bin directory - it's called kcreg.sh (or kcreg.bat on Windows).

Here's a little tour to give you a sense of what you can do with it.

Register an Initial Access Token received from admin

$ kcreg.sh config initial-token --server http://localhost:8080/auth --realm demo

You will be prompted for the token issued to you by realm admin. The token will be saved to default configuration file at ~/.keycloak/kcreg.config

Declare which server and realm to use by default

$ kcreg.sh config credentials --server http://localhost:8080/auth --realm demo

Any operation from now on will use the set server, and realm as default values.

Alternatively you can login as user with client management rights - admin for example:

$ kcreg.sh config credentials --server http://localhost:8180/auth --realm master --user admin --password admin --secret db2cd162-aa86-4154-a16e-a393c9db4f76

By default kcreg identifies to Keycloak server as client with clientId 'admin-cli'. It's a client automatically configured for every new realm to represent client tools like kcreg. We assume here that 'admin-cli' client has Access Type set to 'Confidential', and uses 'Client Id and Secret' for authentication. That's how we got the secret - from Credentials tab of Master realm's Clients section.

Create a new client configuration

$ kcreg.sh create -s clientId=app-profile-jsp -s protocol=openid-connect -s rootUrl=http://localhost:8080/app-profile-jsp

That is enough to create a new public client using a standard flow for authentication - one for static html5 applications.

Get client configuration

To see the configuration we just created we can use:

$ kcreg.sh get app-profile-jsp

Update client configuration

For this little tour we want to create a client for a dynamic web application hosted on a server, so we'll make the client `confidential`.

$ kcreg.sh update app-profile-jsp -s publicClient=false

Get Keycloak Adapter configuration file

Now we want to get a configuration file to put inside our packaged web application:

$ kcreg.sh get app-profile-jsp -e install > keycloak.json

We can now put keycloak.json in WEB-INF directory of our .war file.

Delete client configuration

We may not need some client configuration any more. We can easily delete it:

$ kcreg.sh delete app-profile-jsp

This was a very simple tour tailored to interactive use. Client Registration CLI also supports more complex usage.

For example, it's possible to perform one time authentication for individual command, that doesn't save any tokens into a config file:

$ kcreg.sh create --no-config -s clientId=app-profile-jsp -s protocol=openid-connect -s rootUrl=http://localhost:8080/app-profile-jsp -s publicClient=false --server http://localhost:8180/auth --realm master --user admin --password admin --secret db2cd162-aa86-4154-a16e-a393c9db4f76

All the kcreg commands accept additional options which you can learn about by using --help.

Client Registration CLI doesn't use Keycloak Admin REST, but rather a separate Client Registration REST service. It is thus limited in its scope, and tailored to the special use case of configuring new clients in a self-service manner.

Another more general Admin CLI tool is in the making that will use Keycloak Admin REST, and eventually allow all Web Admin Console operations to be performed through CLI.

Why not give Client Registration CLI a try, and let us know what you think.

Wednesday, 26 October 2016

Keycloak 2.3.0.Final Released

Keycloak 2.3.0.Final has just been released.

For the list of resolved issues check out JIRA and to download the release go to the Keycloak homepage. Before you upgrade refer to the migration guide