KEYCLOAK - Implementing Custom REST Resources (endpoints) | Niko Köbler (@dasniko)

Поделиться
HTML-код
  • Опубликовано: 2 дек 2024

Комментарии • 56

  • @stephanelagace7552
    @stephanelagace7552 11 месяцев назад +3

    Big thanks for your contribution.
    With your tutorial, I was able to create my own user storage provider.
    It made a huge difference.

  •  Год назад +1

    Is there any platform to discuss issues with the examples? Currently trying to implement a endpoint as described here, but getting a 404.

  • @axel_so
    @axel_so 6 месяцев назад +1

    In the documentation it is not mentioned that the provider ID is part of the context path so I was stuck, thanks a lot for sharing!

  • @satyanarayanasarma4167
    @satyanarayanasarma4167 2 года назад +1

    Hi Can you please explain how to link , I didn't understand the keycloak documentation

  • @oussemahelal8628
    @oussemahelal8628 Год назад

    Can you please add another video to explain how to configure,and deploying this extension

  • @dishijain
    @dishijain 2 года назад

    I want my resources to use a different model to Authorization (not authentication), based on application specific roles and permission. Do you think above will fit as a solution?

  • @RabiaAkhlaq
    @RabiaAkhlaq Год назад

    How to configure this custom provider in keycloak?

  • @VaibhavKumbhar-o9f
    @VaibhavKumbhar-o9f Год назад

    Thank you for the video. I have added custom rest resource same way to achieve my usecase.(Develop api over keycloak client which gives me list of apps where the client's roles are added in scope mappings.. e.g. /auth/realms/kc12/clients/47a9cd6e-6272-4efd-ac91-f5af97992b9d/linked-scope-mappings)
    I want this api to use the authentication of master realm for authentication and having admin-cli as azp.
    1. Can you suggest how can I achieve this?
    2. Also is there any way to add the custom reosources over /admin endpoints? ( I will be using this endpoint from my service along with other management apis)

  • @Niralya-fj8vn
    @Niralya-fj8vn 5 месяцев назад

    Hello Niko,
    I'm getting below error when I try to build KeycloakBuilder object in keycloak,
    ERROR: org.eclipse.microprofile.config.spi.ConfigSource: org.jboss.resteasy.microprofile.config.ServletConfigSource not a subtype
    I appreciate your attention and input.
    Thanks in advance.

  • @newsmunite
    @newsmunite Год назад

    Hi, Im trying login with otp. That is working on UI. So, When I insert gsm no, I can get otp code and after that when I insert the code I can login. All of thing ok but. How to work this one on api server? I wanna login in any api endpoint without UI web page

    • @dasniko
      @dasniko  Год назад

      How is your question related to this video?

    • @newsmunite
      @newsmunite Год назад

      @@dasniko actualy not related. While was searching about my issue, I've found most related this video. Actualy I know you, you are expert about keycloak, so that I asked you

    • @dasniko
      @dasniko  Год назад

      Please note, as also mentioned in each video description, I don't give support through YT comments, as this is not the proper place to do so, There are other known forums, discussions and groups available for that (mentioned on the KC website), where also other experts, besides me, are around and willing to help. Thanks for your understanding.

    • @newsmunite
      @newsmunite Год назад

      @@dasniko I havent found any keycloak forum. Could you direct ne to anyone

  • @mehdiben9624
    @mehdiben9624 2 года назад

    Hi, can two clients in the same realm communicate with each other on keycloak ? if yes, how ? if no, why ?

  • @hamedhariri-g5f
    @hamedhariri-g5f Год назад

    Thank you for sharing this useful video. I have two questions. First, I don't know how can I deploy this custom endpoint into the keycloak server. I think you didn't point it out in this video. Second, Is there anyway to debug and have break point inside the created module? In fact I want deploy this module in intellij in debug mode and when I call this api from postman, I want to have break point and check input data. Is this possible?

    • @dasniko
      @dasniko  Год назад

      your first question: see official keycloak developer guide, it's mentioned there!
      your second question: if you deploy your extension into a container, you can enable debug mode and open the debugger port, this way you can attach a remote debugger from your IDE.

    • @hamedhariri-g5f
      @hamedhariri-g5f Год назад

      @@dasniko Thank you for your response. I have installed my custom spi into keycloak successfully and I can call my custom api and keycloak gets my response correctly. Also I enabled remote debugging and my break points works successfully. My problem is, after any changing to my codes, I need to build jar, put it inside keycloak source, build and rerun keycloak. Is there any way to do it on the fly? I mean when I change codes in my spi, I could run it and see results and catch break points.

    • @dasniko
      @dasniko  Год назад

      @@hamedhariri-g5f Keycloak does not support hot-code-replacement

  • @ahmedzenakhi3087
    @ahmedzenakhi3087 Год назад

    Thanks for this tutorial ! Please, do you know how to modify the authorization OpenID endpoints /auth to /authorize exposed in .well-known/openid-configuration url ?

    • @dasniko
      @dasniko  Год назад

      There‘s no need to change the path.

    • @ahmedzenakhi3087
      @ahmedzenakhi3087 Год назад

      For our cases we have this need.
      On my side we use another solution (we name it solution A) for authentication (like keycloak) that use /authorize as authorization endpoints (/auth in keycloak).
      Our existing applications use a library who configures with only issuer. This library uses /authorize (hard-coded suffix).
      We don't want to have this impact of modifying the applications. The cost is significant.
      When our authentication solution A breaks down, keycloak takes over. So our client library don't found /authorize endpoints in keycloak.
      Is for that I asked question on how we can modify this endpoints /auth to /authorize.
      Thanks for your help !

    • @dasniko
      @dasniko  Год назад

      @@ahmedzenakhi3087 If you have such a requirement and want to change how third party apps work and adjust them to your sadly configured environment, you are doomed! Instead, work on your environment that it is properly configurable and doesn‘t rely on path names. That‘s not how the whole stuff works.

  • @maartenhormes
    @maartenhormes 2 года назад

    Hi Niko, I followed your video te create a custom REST resource. Creating and deploying it to keycloak formed no issues. I am running into the issue that whenever I call the checkAuth() method, it throws an exception. I make the requests with a valid token, but the AuthResult auth keeps being null. I am using keycloak 19.0.2. Do you have any idea why this AuthResult keeps being null?

    • @dasniko
      @dasniko  2 года назад

      If the AuthResult is null, then there is something wrong with the token. 🤷‍♂️

    • @maartenhormes
      @maartenhormes 2 года назад

      @@dasniko Decided to give it another try today. Somehow it works now. Thanks for the guide and the reply!

  • @DmytroShmidt
    @DmytroShmidt Год назад

    Is it possible to override-enrich default /roles endpoint of keycloak-server?
    Thank you

    • @dasniko
      @dasniko  Год назад

      Overriding built-in behavior is mostly not the proper way of doing things and may break Keycloak to break and stop working. The extensions are here to extend the product with your custom logic. There‘s also an SPI for extending the admin REST API.

    • @DmytroShmidt
      @DmytroShmidt Год назад

      @@dasniko thank you. So, you suggest not to override the default endpoint, but rather create a custom one? Or, is there existing the proper way for extending mentioned default endpoint through SPI that implements AdminRealmResourceProviderFactory, AdminRealmResourceProvider, EnvironmentDependentProviderFactory?

  • @uNki23
    @uNki23 Год назад

    Great tutorial!It works like a charm. Is it possible to use tokens issued for other clients than the admin-cli one? When I authenticate against my other clients (same realm!) and try to use that token in the custom endpoint, auth is always null. As soon as I use the admin-cli token, it works.
    I'd like the user's of the specific client to use my new endpoint with their client token as well.
    Thanks a lot!
    Tried to add the audience to "admin-cli" with a Client Scope Mapper - strangely this worked 1 or 2 times, now I get 401 again

  • @neslihanbozer2770
    @neslihanbozer2770 2 года назад

    When I add 'private fınalkeycloak sessıon' lın to my SprıngBoot applıcatıon ut takes an error as Parameter 0 of constructor ıin com.... reqıred bean type 'org.keycloak.models.KeycloakSessıon' that could not be found. Could you have an idea for the solution? Thanks

  • @lemonierlima5611
    @lemonierlima5611 7 месяцев назад

    I want do it but I dont know how open a java project like you showed at 2.37 minutes

    • @dasniko
      @dasniko  7 месяцев назад

      Sorry, but I can't give support in basic Java topics, there's plenty stuff around in the internet.

  • @pmwx
    @pmwx 2 года назад +2

    Danke für die informativen Videos. Könntest du evtl. mal ein Video über die Keycloak Offline Token und deren Verwendung machen. Ich suche aktuell eine Möglichkeit so eine Art One-Time-Token zu realisieren und bin dabei auf Offline Tokens gestoßen. Leider findet man im Netz nicht allzu viel darüber. Würde mich freuen wenn du uns das mal vernünftig erklärst.

    • @dasniko
      @dasniko  2 года назад

      Danke für das Feedback. Ich habe mal Offline-Tokens auf meine Liste genommen, ist aber keine Garantie, dass ich da wirklich was drüber mache.
      Generell sind One-Time- und Offline-Tokens aber erst mal unterschiedliche Dinge. Damit sind Offline-Tokens vielleicht nicht das, was Du willst.

  • @adlisamy9900
    @adlisamy9900 2 года назад

    Thank you first of all for those in-depth looks in keycloak on different factories.
    I'm facing an issue which is the following : i'm trying to integrate keycloak as the identity provider of my android application, the token endpoint works well but in this app we need OTP i've implemented it and added it in the flow, it work fine when it's brower based but what i want is to hit the specific endpoint /login-action , the "action" part in which the code is verified.
    For some reason it doesn't work i tried to mimic the behavior of the browser by sending a similar response after the username and password validation, and use those parameters for the second call but i always get a bad request status.
    Is there way to achieve that? Thank you
    PS: i don't want to use a webview or the AppAuth android library is possible

    • @dasniko
      @dasniko  2 года назад

      Well, what you want and don't want is different from what is secure. See links:
      www.oauth.com/oauth2-servers/mobile-and-native-apps/#:~:text=The%20current%20best%20practice%20is%20to%20use%20the%20Authorization%20Flow%20with%20PKCE%2C%20along%20with%20launching%20an%20external%20browser%2C%20in%20order%20to%20ensure%20the%20native%20app%20cannot%20modify%20the%20browser%20window%20or%20inspect%20the%20contents.
      datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-18#section-2.4
      www.scottbrady91.com/oauth/why-the-resource-owner-password-credentials-grant-type-is-not-authentication-nor-suitable-for-modern-applications

  • @kresnaplaysgames
    @kresnaplaysgames 2 года назад

    Hi Niko, it's a great video that I'm looking for implement custom rest endpoints. I have a Keycloak container (docker) then I create the custom rest endpoints and I want to build and publish it to my current Keycloak container to testing it like the video you show with Inertia REST client.
    Is it correct that I just build it to JAR file with Maven then send it to Keycloak container in directory opt/keycloak/providers then re-build the Keycloak container with command kc.[sh|bat] build?
    Thanks.

    • @dasniko
      @dasniko  2 года назад

      Should work

    • @fadighattas9769
      @fadighattas9769 2 года назад

      Hi thanks @Niko for the video it's explain a lot of keycloak extension and how they works, but if it's ok regarding @Kresna comment i have the same structure docker, jar , and im new to java and trying to build the jar from intlage but i can't find a solution yet how to do it , so if it possible to make a video how we can write a custom keycloak extension and how we can run it locally to test it with keycloak docker if it's possible , also how we can build the extension jar and added to keylock that will be great , i think will help a lot of people thanks in advance

  • @kinatron
    @kinatron 2 года назад

    Niko Thanks for the video! Is there any way I can authenticate using a token issued by the master realm? I would like to limit access to these realm endpoints to our keycloak admin, rather than creating users for each realm to access these endpoints. Is there a different authenticator other than AppAuthManager that I can use to do that?
    If that doesn't work is there a way to extend the admin api with custom realm endpoints like this SPI? Thanks again for the video.

    • @dasniko
      @dasniko  2 года назад

      With a token from a realm, you can only access resources from that realm. There's no cross-realm-thing. Realms are level of isolation. So, if you have an access_token from the master realm, it's only possible to authorize requests to master realm.

  • @PankajSingh-bt9hj
    @PankajSingh-bt9hj 2 года назад

    Hey Niko, Thanks for this video. Using this can I extend admin client'api as there is no API for search permission or list permission

    • @dasniko
      @dasniko  2 года назад +1

      You can't extend the admin API, but you can implement your custom endpoints (with proper auth(n,z)) and use them accordingly.

  • @CaptDrabadan
    @CaptDrabadan Год назад

    Hello, Thanks for the video! I have custom resources like in this video, but i want realize automatic exception handling. I have implemented ExceptionMapper interface and added @Provider annotation but it doesn't work. All exceptions are handled by the standard KeycloakErrorHandler. Could you tell me how to register my mapper?

  • @25500
    @25500 2 года назад

    which type of controllers are those?

    • @dasniko
      @dasniko  2 года назад

      What do you mean?

    • @25500
      @25500 2 года назад

      @@dasniko First time I see a controller that implements X, besides it does not have @Controller or @RestController annotations; @GET instead of @GetMapping etc

    • @dasniko
      @dasniko  2 года назад +1

      Imagine there is another world than Spring....
      Java is not only Spring!
      It's JAX-RS standard.

    • @25500
      @25500 2 года назад

      @@dasniko ohh, ok, thanks

  • @杨健-y5w
    @杨健-y5w 2 года назад

    Can I implment a custome rest resource to finish authenticate like OIDC endpoint?

  • @romanmed9035
    @romanmed9035 2 года назад

    can users self register?

    • @dasniko
      @dasniko  2 года назад

      Don‘t ask same questions on multiple videos.

    • @romanmed9035
      @romanmed9035 2 года назад

      @@dasniko ok

  • @dinunclv
    @dinunclv 6 месяцев назад

    It just does not work.

    • @dasniko
      @dasniko  6 месяцев назад

      Well, actually it DOES work, I'm using it in production. If it does not work on your side, then you do something wrong. 🤷‍♂️