I want my resources to use a different model to Authorization (not authentication), based on application specific roles and permission. Do you think above will fit as a solution?
Thank you for the video. I have added custom rest resource same way to achieve my usecase.(Develop api over keycloak client which gives me list of apps where the client's roles are added in scope mappings.. e.g. /auth/realms/kc12/clients/47a9cd6e-6272-4efd-ac91-f5af97992b9d/linked-scope-mappings) I want this api to use the authentication of master realm for authentication and having admin-cli as azp. 1. Can you suggest how can I achieve this? 2. Also is there any way to add the custom reosources over /admin endpoints? ( I will be using this endpoint from my service along with other management apis)
Hello Niko, I'm getting below error when I try to build KeycloakBuilder object in keycloak, ERROR: org.eclipse.microprofile.config.spi.ConfigSource: org.jboss.resteasy.microprofile.config.ServletConfigSource not a subtype I appreciate your attention and input. Thanks in advance.
Hi, Im trying login with otp. That is working on UI. So, When I insert gsm no, I can get otp code and after that when I insert the code I can login. All of thing ok but. How to work this one on api server? I wanna login in any api endpoint without UI web page
@@dasniko actualy not related. While was searching about my issue, I've found most related this video. Actualy I know you, you are expert about keycloak, so that I asked you
Please note, as also mentioned in each video description, I don't give support through YT comments, as this is not the proper place to do so, There are other known forums, discussions and groups available for that (mentioned on the KC website), where also other experts, besides me, are around and willing to help. Thanks for your understanding.
Thank you for sharing this useful video. I have two questions. First, I don't know how can I deploy this custom endpoint into the keycloak server. I think you didn't point it out in this video. Second, Is there anyway to debug and have break point inside the created module? In fact I want deploy this module in intellij in debug mode and when I call this api from postman, I want to have break point and check input data. Is this possible?
your first question: see official keycloak developer guide, it's mentioned there! your second question: if you deploy your extension into a container, you can enable debug mode and open the debugger port, this way you can attach a remote debugger from your IDE.
@@dasniko Thank you for your response. I have installed my custom spi into keycloak successfully and I can call my custom api and keycloak gets my response correctly. Also I enabled remote debugging and my break points works successfully. My problem is, after any changing to my codes, I need to build jar, put it inside keycloak source, build and rerun keycloak. Is there any way to do it on the fly? I mean when I change codes in my spi, I could run it and see results and catch break points.
Thanks for this tutorial ! Please, do you know how to modify the authorization OpenID endpoints /auth to /authorize exposed in .well-known/openid-configuration url ?
For our cases we have this need. On my side we use another solution (we name it solution A) for authentication (like keycloak) that use /authorize as authorization endpoints (/auth in keycloak). Our existing applications use a library who configures with only issuer. This library uses /authorize (hard-coded suffix). We don't want to have this impact of modifying the applications. The cost is significant. When our authentication solution A breaks down, keycloak takes over. So our client library don't found /authorize endpoints in keycloak. Is for that I asked question on how we can modify this endpoints /auth to /authorize. Thanks for your help !
@@ahmedzenakhi3087 If you have such a requirement and want to change how third party apps work and adjust them to your sadly configured environment, you are doomed! Instead, work on your environment that it is properly configurable and doesn‘t rely on path names. That‘s not how the whole stuff works.
Hi Niko, I followed your video te create a custom REST resource. Creating and deploying it to keycloak formed no issues. I am running into the issue that whenever I call the checkAuth() method, it throws an exception. I make the requests with a valid token, but the AuthResult auth keeps being null. I am using keycloak 19.0.2. Do you have any idea why this AuthResult keeps being null?
Overriding built-in behavior is mostly not the proper way of doing things and may break Keycloak to break and stop working. The extensions are here to extend the product with your custom logic. There‘s also an SPI for extending the admin REST API.
@@dasniko thank you. So, you suggest not to override the default endpoint, but rather create a custom one? Or, is there existing the proper way for extending mentioned default endpoint through SPI that implements AdminRealmResourceProviderFactory, AdminRealmResourceProvider, EnvironmentDependentProviderFactory?
Great tutorial!It works like a charm. Is it possible to use tokens issued for other clients than the admin-cli one? When I authenticate against my other clients (same realm!) and try to use that token in the custom endpoint, auth is always null. As soon as I use the admin-cli token, it works. I'd like the user's of the specific client to use my new endpoint with their client token as well. Thanks a lot! Tried to add the audience to "admin-cli" with a Client Scope Mapper - strangely this worked 1 or 2 times, now I get 401 again
When I add 'private fınalkeycloak sessıon' lın to my SprıngBoot applıcatıon ut takes an error as Parameter 0 of constructor ıin com.... reqıred bean type 'org.keycloak.models.KeycloakSessıon' that could not be found. Could you have an idea for the solution? Thanks
Danke für die informativen Videos. Könntest du evtl. mal ein Video über die Keycloak Offline Token und deren Verwendung machen. Ich suche aktuell eine Möglichkeit so eine Art One-Time-Token zu realisieren und bin dabei auf Offline Tokens gestoßen. Leider findet man im Netz nicht allzu viel darüber. Würde mich freuen wenn du uns das mal vernünftig erklärst.
Danke für das Feedback. Ich habe mal Offline-Tokens auf meine Liste genommen, ist aber keine Garantie, dass ich da wirklich was drüber mache. Generell sind One-Time- und Offline-Tokens aber erst mal unterschiedliche Dinge. Damit sind Offline-Tokens vielleicht nicht das, was Du willst.
Thank you first of all for those in-depth looks in keycloak on different factories. I'm facing an issue which is the following : i'm trying to integrate keycloak as the identity provider of my android application, the token endpoint works well but in this app we need OTP i've implemented it and added it in the flow, it work fine when it's brower based but what i want is to hit the specific endpoint /login-action , the "action" part in which the code is verified. For some reason it doesn't work i tried to mimic the behavior of the browser by sending a similar response after the username and password validation, and use those parameters for the second call but i always get a bad request status. Is there way to achieve that? Thank you PS: i don't want to use a webview or the AppAuth android library is possible
Well, what you want and don't want is different from what is secure. See links: www.oauth.com/oauth2-servers/mobile-and-native-apps/#:~:text=The%20current%20best%20practice%20is%20to%20use%20the%20Authorization%20Flow%20with%20PKCE%2C%20along%20with%20launching%20an%20external%20browser%2C%20in%20order%20to%20ensure%20the%20native%20app%20cannot%20modify%20the%20browser%20window%20or%20inspect%20the%20contents. datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-18#section-2.4 www.scottbrady91.com/oauth/why-the-resource-owner-password-credentials-grant-type-is-not-authentication-nor-suitable-for-modern-applications
Hi Niko, it's a great video that I'm looking for implement custom rest endpoints. I have a Keycloak container (docker) then I create the custom rest endpoints and I want to build and publish it to my current Keycloak container to testing it like the video you show with Inertia REST client. Is it correct that I just build it to JAR file with Maven then send it to Keycloak container in directory opt/keycloak/providers then re-build the Keycloak container with command kc.[sh|bat] build? Thanks.
Hi thanks @Niko for the video it's explain a lot of keycloak extension and how they works, but if it's ok regarding @Kresna comment i have the same structure docker, jar , and im new to java and trying to build the jar from intlage but i can't find a solution yet how to do it , so if it possible to make a video how we can write a custom keycloak extension and how we can run it locally to test it with keycloak docker if it's possible , also how we can build the extension jar and added to keylock that will be great , i think will help a lot of people thanks in advance
Niko Thanks for the video! Is there any way I can authenticate using a token issued by the master realm? I would like to limit access to these realm endpoints to our keycloak admin, rather than creating users for each realm to access these endpoints. Is there a different authenticator other than AppAuthManager that I can use to do that? If that doesn't work is there a way to extend the admin api with custom realm endpoints like this SPI? Thanks again for the video.
With a token from a realm, you can only access resources from that realm. There's no cross-realm-thing. Realms are level of isolation. So, if you have an access_token from the master realm, it's only possible to authorize requests to master realm.
Hello, Thanks for the video! I have custom resources like in this video, but i want realize automatic exception handling. I have implemented ExceptionMapper interface and added @Provider annotation but it doesn't work. All exceptions are handled by the standard KeycloakErrorHandler. Could you tell me how to register my mapper?
@@dasniko First time I see a controller that implements X, besides it does not have @Controller or @RestController annotations; @GET instead of @GetMapping etc
Big thanks for your contribution.
With your tutorial, I was able to create my own user storage provider.
It made a huge difference.
Is there any platform to discuss issues with the examples? Currently trying to implement a endpoint as described here, but getting a 404.
In the documentation it is not mentioned that the provider ID is part of the context path so I was stuck, thanks a lot for sharing!
Hi Can you please explain how to link , I didn't understand the keycloak documentation
Can you please add another video to explain how to configure,and deploying this extension
I want my resources to use a different model to Authorization (not authentication), based on application specific roles and permission. Do you think above will fit as a solution?
How to configure this custom provider in keycloak?
Thank you for the video. I have added custom rest resource same way to achieve my usecase.(Develop api over keycloak client which gives me list of apps where the client's roles are added in scope mappings.. e.g. /auth/realms/kc12/clients/47a9cd6e-6272-4efd-ac91-f5af97992b9d/linked-scope-mappings)
I want this api to use the authentication of master realm for authentication and having admin-cli as azp.
1. Can you suggest how can I achieve this?
2. Also is there any way to add the custom reosources over /admin endpoints? ( I will be using this endpoint from my service along with other management apis)
Hello Niko,
I'm getting below error when I try to build KeycloakBuilder object in keycloak,
ERROR: org.eclipse.microprofile.config.spi.ConfigSource: org.jboss.resteasy.microprofile.config.ServletConfigSource not a subtype
I appreciate your attention and input.
Thanks in advance.
Hi, Im trying login with otp. That is working on UI. So, When I insert gsm no, I can get otp code and after that when I insert the code I can login. All of thing ok but. How to work this one on api server? I wanna login in any api endpoint without UI web page
How is your question related to this video?
@@dasniko actualy not related. While was searching about my issue, I've found most related this video. Actualy I know you, you are expert about keycloak, so that I asked you
Please note, as also mentioned in each video description, I don't give support through YT comments, as this is not the proper place to do so, There are other known forums, discussions and groups available for that (mentioned on the KC website), where also other experts, besides me, are around and willing to help. Thanks for your understanding.
@@dasniko I havent found any keycloak forum. Could you direct ne to anyone
Hi, can two clients in the same realm communicate with each other on keycloak ? if yes, how ? if no, why ?
Thank you for sharing this useful video. I have two questions. First, I don't know how can I deploy this custom endpoint into the keycloak server. I think you didn't point it out in this video. Second, Is there anyway to debug and have break point inside the created module? In fact I want deploy this module in intellij in debug mode and when I call this api from postman, I want to have break point and check input data. Is this possible?
your first question: see official keycloak developer guide, it's mentioned there!
your second question: if you deploy your extension into a container, you can enable debug mode and open the debugger port, this way you can attach a remote debugger from your IDE.
@@dasniko Thank you for your response. I have installed my custom spi into keycloak successfully and I can call my custom api and keycloak gets my response correctly. Also I enabled remote debugging and my break points works successfully. My problem is, after any changing to my codes, I need to build jar, put it inside keycloak source, build and rerun keycloak. Is there any way to do it on the fly? I mean when I change codes in my spi, I could run it and see results and catch break points.
@@hamedhariri-g5f Keycloak does not support hot-code-replacement
Thanks for this tutorial ! Please, do you know how to modify the authorization OpenID endpoints /auth to /authorize exposed in .well-known/openid-configuration url ?
There‘s no need to change the path.
For our cases we have this need.
On my side we use another solution (we name it solution A) for authentication (like keycloak) that use /authorize as authorization endpoints (/auth in keycloak).
Our existing applications use a library who configures with only issuer. This library uses /authorize (hard-coded suffix).
We don't want to have this impact of modifying the applications. The cost is significant.
When our authentication solution A breaks down, keycloak takes over. So our client library don't found /authorize endpoints in keycloak.
Is for that I asked question on how we can modify this endpoints /auth to /authorize.
Thanks for your help !
@@ahmedzenakhi3087 If you have such a requirement and want to change how third party apps work and adjust them to your sadly configured environment, you are doomed! Instead, work on your environment that it is properly configurable and doesn‘t rely on path names. That‘s not how the whole stuff works.
Hi Niko, I followed your video te create a custom REST resource. Creating and deploying it to keycloak formed no issues. I am running into the issue that whenever I call the checkAuth() method, it throws an exception. I make the requests with a valid token, but the AuthResult auth keeps being null. I am using keycloak 19.0.2. Do you have any idea why this AuthResult keeps being null?
If the AuthResult is null, then there is something wrong with the token. 🤷♂️
@@dasniko Decided to give it another try today. Somehow it works now. Thanks for the guide and the reply!
Is it possible to override-enrich default /roles endpoint of keycloak-server?
Thank you
Overriding built-in behavior is mostly not the proper way of doing things and may break Keycloak to break and stop working. The extensions are here to extend the product with your custom logic. There‘s also an SPI for extending the admin REST API.
@@dasniko thank you. So, you suggest not to override the default endpoint, but rather create a custom one? Or, is there existing the proper way for extending mentioned default endpoint through SPI that implements AdminRealmResourceProviderFactory, AdminRealmResourceProvider, EnvironmentDependentProviderFactory?
Great tutorial!It works like a charm. Is it possible to use tokens issued for other clients than the admin-cli one? When I authenticate against my other clients (same realm!) and try to use that token in the custom endpoint, auth is always null. As soon as I use the admin-cli token, it works.
I'd like the user's of the specific client to use my new endpoint with their client token as well.
Thanks a lot!
Tried to add the audience to "admin-cli" with a Client Scope Mapper - strangely this worked 1 or 2 times, now I get 401 again
When I add 'private fınalkeycloak sessıon' lın to my SprıngBoot applıcatıon ut takes an error as Parameter 0 of constructor ıin com.... reqıred bean type 'org.keycloak.models.KeycloakSessıon' that could not be found. Could you have an idea for the solution? Thanks
I want do it but I dont know how open a java project like you showed at 2.37 minutes
Sorry, but I can't give support in basic Java topics, there's plenty stuff around in the internet.
Danke für die informativen Videos. Könntest du evtl. mal ein Video über die Keycloak Offline Token und deren Verwendung machen. Ich suche aktuell eine Möglichkeit so eine Art One-Time-Token zu realisieren und bin dabei auf Offline Tokens gestoßen. Leider findet man im Netz nicht allzu viel darüber. Würde mich freuen wenn du uns das mal vernünftig erklärst.
Danke für das Feedback. Ich habe mal Offline-Tokens auf meine Liste genommen, ist aber keine Garantie, dass ich da wirklich was drüber mache.
Generell sind One-Time- und Offline-Tokens aber erst mal unterschiedliche Dinge. Damit sind Offline-Tokens vielleicht nicht das, was Du willst.
Thank you first of all for those in-depth looks in keycloak on different factories.
I'm facing an issue which is the following : i'm trying to integrate keycloak as the identity provider of my android application, the token endpoint works well but in this app we need OTP i've implemented it and added it in the flow, it work fine when it's brower based but what i want is to hit the specific endpoint /login-action , the "action" part in which the code is verified.
For some reason it doesn't work i tried to mimic the behavior of the browser by sending a similar response after the username and password validation, and use those parameters for the second call but i always get a bad request status.
Is there way to achieve that? Thank you
PS: i don't want to use a webview or the AppAuth android library is possible
Well, what you want and don't want is different from what is secure. See links:
www.oauth.com/oauth2-servers/mobile-and-native-apps/#:~:text=The%20current%20best%20practice%20is%20to%20use%20the%20Authorization%20Flow%20with%20PKCE%2C%20along%20with%20launching%20an%20external%20browser%2C%20in%20order%20to%20ensure%20the%20native%20app%20cannot%20modify%20the%20browser%20window%20or%20inspect%20the%20contents.
datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-18#section-2.4
www.scottbrady91.com/oauth/why-the-resource-owner-password-credentials-grant-type-is-not-authentication-nor-suitable-for-modern-applications
Hi Niko, it's a great video that I'm looking for implement custom rest endpoints. I have a Keycloak container (docker) then I create the custom rest endpoints and I want to build and publish it to my current Keycloak container to testing it like the video you show with Inertia REST client.
Is it correct that I just build it to JAR file with Maven then send it to Keycloak container in directory opt/keycloak/providers then re-build the Keycloak container with command kc.[sh|bat] build?
Thanks.
Should work
Hi thanks @Niko for the video it's explain a lot of keycloak extension and how they works, but if it's ok regarding @Kresna comment i have the same structure docker, jar , and im new to java and trying to build the jar from intlage but i can't find a solution yet how to do it , so if it possible to make a video how we can write a custom keycloak extension and how we can run it locally to test it with keycloak docker if it's possible , also how we can build the extension jar and added to keylock that will be great , i think will help a lot of people thanks in advance
Niko Thanks for the video! Is there any way I can authenticate using a token issued by the master realm? I would like to limit access to these realm endpoints to our keycloak admin, rather than creating users for each realm to access these endpoints. Is there a different authenticator other than AppAuthManager that I can use to do that?
If that doesn't work is there a way to extend the admin api with custom realm endpoints like this SPI? Thanks again for the video.
With a token from a realm, you can only access resources from that realm. There's no cross-realm-thing. Realms are level of isolation. So, if you have an access_token from the master realm, it's only possible to authorize requests to master realm.
Hey Niko, Thanks for this video. Using this can I extend admin client'api as there is no API for search permission or list permission
You can't extend the admin API, but you can implement your custom endpoints (with proper auth(n,z)) and use them accordingly.
Hello, Thanks for the video! I have custom resources like in this video, but i want realize automatic exception handling. I have implemented ExceptionMapper interface and added @Provider annotation but it doesn't work. All exceptions are handled by the standard KeycloakErrorHandler. Could you tell me how to register my mapper?
which type of controllers are those?
What do you mean?
@@dasniko First time I see a controller that implements X, besides it does not have @Controller or @RestController annotations; @GET instead of @GetMapping etc
Imagine there is another world than Spring....
Java is not only Spring!
It's JAX-RS standard.
@@dasniko ohh, ok, thanks
Can I implment a custome rest resource to finish authenticate like OIDC endpoint?
can users self register?
Don‘t ask same questions on multiple videos.
@@dasniko ok
It just does not work.
Well, actually it DOES work, I'm using it in production. If it does not work on your side, then you do something wrong. 🤷♂️