JBoss.orgCommunity Documentation

Keycloak Reference Guide

SSO for Web Apps and REST Services

1.2.0.Beta1


Preface
1. License
2. Overview
2.1. Key Concepts in Keycloak
2.2. How Does Security Work in Keycloak?
2.2.1. Permission Scopes
3. Installation and Configuration of Keycloak Server
3.1. Appliance Install
3.2. WAR Distribution Installation
3.3. Configuring the Server
3.3.1. Relational Database Configuration
3.3.2. MongoDB based model
3.3.3. JSON File based model
3.3.4. EAP6.x Logging
3.3.5. SSL/HTTPS Requirement/Modes
3.3.6. SSL/HTTPS Setup
3.4. Adding Keycloak server in Domain Mode
4. Providers and SPIs
4.1. Implementing a SPI
4.2. Registering provider implementations
4.2.1. Register a provider using Modules
4.2.2. Register a provider using file-system
4.2.3. Configuring a provider
4.3. Available SPIs
5. Running Keycloak Server on OpenShift
5.1. Create Keycloak instance with the web tool
5.2. Create Keycloak instance with the command-line tool
5.3. Next steps
6. Master Admin Access Control
6.1. Global Roles
6.2. Realm Specific Roles
7. Per Realm Admin Access Control
7.1. Realm Roles
8. Adapters
8.1. General Adapter Config
8.2. JBoss/Wildfly Adapter
8.2.1. Adapter Installation
8.2.2. Required Per WAR Configuration
8.2.3. Securing WARs via Keycloak Subsystem
8.3. Tomcat 6, 7 and 8 Adapters
8.3.1. Adapter Installation
8.3.2. Required Per WAR Configuration
8.4. Jetty 9.x Adapters
8.4.1. Adapter Installation
8.4.2. Required Per WAR Configuration
8.5. Jetty 8.1.x Adapter
8.5.1. Adapter Installation
8.5.2. Required Per WAR Configuration
8.6. JBoss Fuse and Apache Karaf Adapter
8.7. Javascript Adapter
8.7.1. Session status iframe
8.7.2. Older browsers
8.7.3. JavaScript Adapter reference
8.8. Spring Boot Adapter
8.8.1. Adapter Installation
8.8.2. Required Spring Boot Adapter Configuration
8.9. Installed Applications
8.9.1. http://localhost
8.9.2. urn:ietf:wg:oauth:2.0:oob
8.10. Logout
8.11. Multi Tenancy
8.12. JAAS plugin
9. Identity Broker
9.1. Overview
9.2. Configuration
9.3. Social Identity Providers
9.3.1. Google
9.3.2. Facebook
9.3.3. Twitter
9.3.4. Github
9.3.5. LinkedIn
9.3.6. StackOverflow
9.4. SAML v2.0 Identity Providers
9.5. OpenID Connect v1.0 Identity Providers
9.6. Automatically Select and Identity Provider
9.7. Examples
10. Themes
10.1. Theme types
10.2. Configure theme
10.3. Default themes
10.4. Creating a theme
10.4.1. Stylesheets
10.4.2. Scripts
10.4.3. Images
10.4.4. Messages
10.4.5. Modifying HTML
10.5. Deploying themes
10.6. SPIs
10.6.1. Account SPI
10.6.2. Login SPI
11. Email
11.1. Email Server Config
11.1.1. Enable SSL or TLS
11.1.2. Authentication
12. Application and Client Access Types
13. Roles
13.1. Composite Roles
14. Direct Access Grants
15. CORS
16. Cookie settings, Session Timeouts, and Token Lifespans
16.1. Remember Me
16.2. Session Timeouts
16.3. Token Timeouts
17. Admin REST API
18. Events
18.1. Event types
18.2. Event Listener
18.3. Event Store
18.4. Configure Events Settings for Realm
19. User Federation SPI and LDAP/AD Integration
19.1. LDAP and Active Directory Plugin
19.1.1. Edit Mode
19.1.2. Other config options
19.2. Sync of LDAP users to Keycloak
19.3. Writing your own User Federation Provider
20. Kerberos brokering
20.1. Setup of Kerberos server
20.2. Setup and configuration of Keycloak server
20.3. Setup and configuration of client machines
20.4. Example setups
20.4.1. Keycloak and FreeIPA docker image
20.4.2. ApacheDS testing Kerberos server
20.5. Credential delegation
20.6. Troubleshooting
21. Export and Import
22. Server Cache
22.1. Disabling Caches
22.2. Clear Caches
22.3. Cache Config
23. SAML SSO
23.1. SAML Entity Descriptor
24. Security Vulnerabilities
24.1. SSL/HTTPS Requirement
24.2. CSRF Attacks
24.3. Clickjacking
24.4. Compromised Access Codes
24.5. Compromised access and refresh tokens
24.6. Open redirectors
24.7. Password guess: brute force attacks
24.8. Password database compromised
24.9. SQL Injection attacks
24.10. Limiting Scope
25. Clustering
25.1. Configure a shared database
25.2. Configure Infinispan
25.3. Enable realm and user cache invalidation
25.4. Enable distributed user sessions
25.5. Start in HA mode
25.6. Enabling cluster security
25.7. Troubleshooting
26. Application Clustering
26.1. Stateless token store
26.2. Relative URI optimization
26.3. Admin URL configuration
26.4. Registration of application nodes to Keycloak
26.5. Refresh token in each request
27. Keycloak Security Proxy
27.1. Proxy Install and Run
27.2. Proxy Configuration
27.2.1. Basic Config
27.2.2. Application Config
27.3. Keycloak Identity Headers
28. Custom User Attributes
28.1. In admin console
28.2. In registration page
28.3. In user account profile page
29. OIDC Token and SAML Assertion Mappings
30. Migration from older versions
30.1. Migrate database
30.2. Migrate keycloak-server.json
30.3. Migrate providers
30.4. Migrate themes
30.5. Migrate application
30.6. Version specific migration
30.6.1. Migrating from 1.1.0.Final to 1.2.0.Beta1
30.6.2. Migrating from 1.1.0.Beta2 to 1.1.0.Final
30.6.3. Migrating from 1.1.0.Beta1 to 1.1.0.Beta2
30.6.4. Migrating from 1.0.x.Final to 1.1.0.Beta1
30.6.5. Migrating from 1.0 RC-1 to RC-2
30.6.6. Migrating from 1.0 Beta 4 to RC-1
30.6.7. Migrating from 1.0 Beta 1 to Beta 4
30.6.8. Migrating from 1.0 Alpha 4 to Beta 1
30.6.9. Migrating from 1.0 Alpha 2 to Alpha 3
30.6.10. Migrating from 1.0 Alpha 1 to Alpha 2