Describe the bug

Script such as migrate-standalone-ha.cli fail to run in Keycloak 16.1.0 because it tries to update parts of the configuration file that are no longer present in wildfly

workaround: if you are upgrading from version 15, remove everything and only keep the changes from 15 to 16

Version

16.1.0

Expected behavior

Running the upgrade scrpits (e.g. migrate-standalone-ha.cli) should work as prescribed in the documentation

Actual behavior

the scripts (e.g. migrate-standalone-ha.cli) fail to run

How to Reproduce?

Just follow the upgrade documentation and run any of the upgrade scripts in version 16.1.0

Anything else?

No response

Description

I am requesting an enhancement (a creation) of official Keycloak documentation for Application Initiated Actions, which go into more technical detail than just the design document.

It is a small addition to the docs, but I am sure this will save a load of people which want to implement AIA in their apps a lot of time that is currently used in experimenting around to get it to work.

Discussion

No response

Motivation

Documentation on Application Initiated Actions right now seems to be limited to the design document, some (for not React developers) confusing react frontend code and a google groups entry pointing to both the latter.

It is okay and all to have a feature that "pretty much turned out as designed" but there is still a need for improvement on this documentation.

Details

My Proposals for this documentation are:

• What are kc_action Keywords like UPDATE_PASSWORD, UPDATE_PROFILE, etc.?
• Explicitly mention the need to have kc_action value as ALL CAPS (otherwise resulting in a confusing error message)
• Which Endpoint and GET Parameters are required (Parallel to the design document)?
• When should AIAs be used?
• Is there (if any) implementation into the Client SDKs?

Description

Update documentation for the switch to Quarkus distribution being the default distribution. WildFly steps are being left in the documentation for now until we remove the WildFly distribution, but won't be displayed in community documentation.

List of current documentation and what needs updating:

• Authorization services
• Securing applications
• Server admin
• Server development
• Upgrading

The following does not need updating:

• Server installation and configuration: replaced by new server guides (https://github.com/keycloak/keycloak/tree/main/docs/guides)
• Getting started: replaced by new getting started guides, which will be updated through a separate issue
• OpenShift: RH-SSO only guides, which won't be updated for now

This issue does not cover migration from WildFly dist to Quarkus dist, which will be covered by separate issues.

Discussion

No response

Motivation

No response

Details

No response

Describe the bug

The "look-ahead window" of TOTP became "look around window", but the document is still "look-ahead window".

Version

15.0.2

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

Describe the bug

Themes deployment documentation

Mentions that theme files should be in the themes folder, should be theme.

Version

16.1.1

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

Description

Regarding to changes in the RP-Initiated Logout in Keycloak main and related changes in the node.js adapter (more details in the keycloak/keycloak-nodejs-connect#359 ), there is a need to adjust documentation a bit.

Discussion

No response

Motivation

No response

Details

No response

Describe the bug

Keycloak 17.0.0 "Configuring distributed cache" guide states that:

The following table shows transport stacks that are available without any further configuration than using the --cache-stack build option:
- tcp
- udp
- kubernetes

Actualy the 'kubernetes' cache stack requires the Java property jgroups.dns.query to be set. This property should be set to a Kubernetes keycloak headless service FQDN.
This property can be added to the JAVA_OPTS env var by adding -Djgroups.dns.query=[headless-service FQDN]

Version

17.0.0

Expected behavior

Include required property documentation

Actual behavior

Misses required property documentation

How to Reproduce?

No response

Anything else?

No response

Describe the bug

Recently I cloned the keycloak-documentation, switched to tag 4.8.3.Final, and followed the instructions. It generates all documentation except the REST API manual.
The same thing happens for tag 16.0.0, 5.0.0, and others.

I posted a question about this at keycloak/keycloak#8913

Is there a bug in the build procedure?

Version

4.8.3

Expected behavior

It should generate the documentation

Actual behavior

The REST API manual is not generated (others are however).

How to Reproduce?

No response

Anything else?

Note that searching via grep in keycloak-documentation for phrases that are clearly in the documentation for the REST API (I picked phrases from the online documentation) gives no results. It is as if the raw material is simply NOT in keycloak-documentation for the REST API...?

Describe the bug

The documentation here https://www.keycloak.org/docs/latest/server_installation/#_proxymappings says:

# Configure the proxy-mappings
/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.proxy-mappings,value=[".*\\.(google|googleapis)\\.com;http://www-proxy.acme.com:8080",".*\\.acme\\.com;NO_PROXY",".*;http://fallback:8080"])

But in version 25, value is no longer an array, but a string. This works:

# Configure the proxy-mappings
/subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.proxy-mappings,value="[\".*\\.(google|googleapis)\\.com;http://www-proxy.acme.com:8080\",\".*\\.acme\\.com;NO_PROXY\",\".*;http://fallback:8080\"]")

Notice value is now a string and the quotes are escaped.

Version

16.1.0

Expected behavior

Following the proxy configuration documentation should work. instead we get a wildfly error

Actual behavior

We get an error from Wildfly if we follow the documentation

How to Reproduce?

Just follow the documentation and install a proxy

Anything else?

No response

Description

Make the necessary changes to reflect the removal of the upload script feature.

See keycloak/keycloak#9865.

Discussion

No response

Motivation

No response

Details

No response

Describe the bug

The documentation for version 16.1 of Keycloak mentions that a "update password action" will be set for every user in the affected realm when configuring a new password policy.

After saving the policy, Keycloak enforces the policy for new users and sets an Update Password action for existing users to ensure they change their password the next time they log in.
https://www.keycloak.org/docs/latest/server_admin/#_password-policies

Compared to the old text in the v 15.0.2 documentation.
https://www.keycloak.org/docs/15.0/server_admin/#_password-policies

After saving your policy, user registration and the Update Password required action will enforce your new policy. An example of a user failing the policy check:
If the password policy is updated, an Update Password action must be set for every user. An automatic trigger is scheduled as a future enhancement.

the wording was changed considerably in this commit: ba80727#diff-557f09ffc0aaabd2c33c1d43b354bb99c05a573c4ada6f1af6a0f7a534d4c2ccL17-L24

With my installation of Keycloak 16.1.0 I cannot observe the new functionality and the release notes do not mention such a feature. Is this a documentation error or should this work and I'd have to open an issue in the Keycloak code repository?

Version

16.1.0

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

Describe the bug

Code samples in the docs can't be copied and pasted and run because they contain invalid chars (specifically zero-width spaces)

Version

n/a

Expected behavior

Go to e.g. https://www.keycloak.org/docs/latest/securing_apps/#usage-2 and copy the code into a file. It should be able to run.

Actual behavior

/Users/xxx/keycloak-err.js:1
​var session = require('express-session');


SyntaxError: Invalid or unexpected token
    at wrapSafe (internal/modules/cjs/loader.js:979:16)
    at Module._compile (internal/modules/cjs/loader.js:1027:27)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1092:10)
    at Module.load (internal/modules/cjs/loader.js:928:32)
    at Function.Module._load (internal/modules/cjs/loader.js:769:14)
    at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:72:12)
    at internal/main/run_main_module.js:17:47

How to Reproduce?

^

Anything else?

No response

Description

Hi

I just read the documentation (17.0.0) and i saw that the select_account parameter is not available for the prompt option.

From : https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

select_account
The Authorization Server SHOULD prompt the End-User to select a user account. This enables an End-User who has multiple accounts at the Authorization Server to select amongst the multiple accounts that they might have current sessions for. If it cannot obtain an account selection choice made by the End-User, it MUST return an error, typically account_selection_required.

May you provide this feature in the future ?

Thanks

Discussion

No response

Motivation

This could be useful to switch using multiple accounts (personal, pro, ...)

Details

No response

Description

Address issue with instructions for RPM upgrade

Discussion

No response

Motivation

No response

Details

No response

Description

Too many Rest API endpoints are not documented, and only way to know about them is through the inspect window of the browser at the "Administrator Console" page

Discussion

No response

Motivation

To avoid unintentional bugs due to miss use of an Endpoint

Details

I have been using Keycloak REST API for awhile now, and I always find missing endpoints in the REST API Documentations, which I can get only by inspecting the window of the browser when I'm in the "Administrator Console" page as shown in the following image example:

This actually causes a lot of issues, like what parameters affects a specific endpoint differently.

For example, I made a function to get all the resources of a specific client so I used this {your-keycloak-server}/admin/realms/{realm}/clients/{id}/authz/resource-server/resource
and it turned out that the endpoint will max out the response to 100 records by default!
So, in that case I thought of settings the "max" parameter in the url to very big number like this {your-keycloak-server}/admin/realms/{realm}/clients/{id}/authz/resource-server/resource?max=9999999, but after multiple attempts to resolve that with better solution, I found that you could disable the max only if you set it to -1 like this {your-keycloak-server}/admin/realms/{realm}/clients/{id}/authz/resource-server/resource?max=-1

Hence, I hope someone shed some light, if there is a reason these endpoints are not documented, or if they just missed. If they are missed, then we should start adding them to the documentations. What do you think?

Describe the bug

Keycloak 17.0.0 Server Administration Guide mentions that the default CIBA authentication channel provider configuration has to be performed by adding the following configuration:

<spi name="ciba-auth-channel">
    <default-provider>ciba-http-auth-channel</default-provider>
    <provider name="ciba-http-auth-channel" enabled="true">
        <properties>
            <property name="httpAuthenticationChannelUri" value="https://backend.internal.example.com"/>
        </properties>
    </provider>
</spi>

I guess this is valid for Wildfly based Keycloak.
How is it possible to configure the default CIBA auth channel provider on Quarkus based Keycloak ?

Version

17.0.0

Expected behavior

Document CIBA configuration for Quarkus based Keycloak

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

Describe the bug

This command is missing an underscore

sudo yum install keycloak-adapter-sso7_5eap6

Version

16

Expected behavior

The correct command is
sudo yum install keycloak-adapter-sso7_5-eap6

Actual behavior

No response

How to Reproduce?

Follow the documentation: https://www.keycloak.org/docs/latest/securing_apps/index.html

Anything else?

No response

Describe the bug

This resulted in the following.

Version

master

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

Description

Recovery codes is a new preview features in upstream Keycloak that allows a user to log into their account with a recovery code in case they lose access to other 2FA login methods.

Discussion

No response

Motivation

No response

Details

No response

Description

The migration guide for Keycloak 17 [1] should be updated to add steps to upgrade from Keycloak.X preview distribution to new default Quarkus distribution.

[1] changes-17_0_0.adoc in https://github.com/keycloak/keycloak-documentation/tree/main/upgrading/topics/keycloak

Discussion

No response

Motivation

No response

Details

No response

I don't believe the documentation in this repository is explicitly licensed right now although there is
this .

Using the Apache License 2.0 makes sense, just about the only other different license that might be sensible for this documentation would be CC BY. The choice is basically - "use the same license we use for code" (Apache License) vs. "use a license similar in permissiveness to our software license that is arguably more suited to documentation" (CC BY).

Description

We may need some documentation for the authenticator, which was merged into Keycloak main. See keycloak/keycloak#10077 for the details.

What to document:

• Describe how to enable session limit feature with the authenticator. Describe that there is possibility for limit of sessions per user and also sessions per user+client.

• Describe that this needs to be added to all the flows to make sure it is working:

  • Browser flow
  • Reset-password flow
  • identity broker login (can be addressed with custom post-broker-login flow set to each identity provider in the realm)
  • Direct grant (Resource owner password credentials) - For this one, it is OK if only the option of kill last session is used (Resource owner password credentials cannot display error message as it does not have access to the browser)
  • Describe that this won't be available for CIBA

Discussion

No response

Motivation

No response

Details

No response

Describe the bug

Originally from: [KEYCLOAK-15065] Error in Multi-Tenancy example code snippet - Red Hat Issue Tracker

https://www.keycloak.org/docs/latest/securing_apps/#_multi_tenancy has an example:

But (I think) there are some problems with it. Where do the path and realm variables come from? Aren't these unknown?

package example;

import org.keycloak.adapters.KeycloakConfigResolver;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;

public class PathBasedKeycloakConfigResolver implements KeycloakConfigResolver {

    @Override
    public KeycloakDeployment resolve(OIDCHttpFacade.Request request) {
        if (path.startsWith("alternative")) {
            KeycloakDeployment deployment = cache.get(realm);
            if (null == deployment) {
                InputStream is = getClass().getResourceAsStream("/tenant1-keycloak.json");
                return KeycloakDeploymentBuilder.build(is);
            }
        } else {
            InputStream is = getClass().getResourceAsStream("/default-keycloak.json");
            return KeycloakDeploymentBuilder.build(is);
        }
    }

}

Version

Doesn't matter

Expected behavior

I expect the code to be valid

Actual behavior

The code is invalid

How to Reproduce?

No response

Anything else?

No response

Description

Release notes for Keycloak 17 has to contain information around the switch to Quarkus as the default distribution.

Discussion

No response

Motivation

No response

Details

No response

Description

On the migration guide, specify that some external extensions can cause issues, e.g. aerogear with this new version

Discussion

No response

Motivation

No response

Details

No response

Describe the bug

Page not found.

Version

null

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

Describe the bug

When you go to https://www.keycloak.org/archive/downloads-15.1.1.html or https://www.keycloak.org/archive/downloads-16.0.0.html , the links for the Quickstarts are pointing to main (github) or to latest (zip) and not to the proper TAG.

Version

15.1.1

Expected behavior

Point to the TAG in github

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

Describe the bug

server_installation/topics/operator/keycloak-cr.adoc says:

keycloak-discovery Service - Performs JDBC_PING discovery

But it seems that the operator implementation uses DNS_PING, not JDBC_PING.

Source code: https://github.com/keycloak/keycloak-operator/blob/main/pkg/model/keycloak_deployment.go

Version

16.1.0

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

Describe the bug

At https://www.keycloak.org/docs/latest/getting_started/index.html#logging-into-the-account-console the link http://localhost:8080/auth/realms/demo/account
could be wrong. The right one should be
http://localhost:8080/realms/demo/account/

Version

15.0.2

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

Description

Highlight changes from #1277

Discussion

No response

Motivation

No response

Details

No response

Describe the bug

Originally [KEYCLOAK-16697] Documentation: User Storage SPI should document the UserStorageProvider.Stream interface - Red Hat Issue Tracker:

File: server_development/topics/user-storage/provider-interfaces.adoc and https://www.keycloak.org/docs/latest/server_development/index.html#_user-storage-spi

provider-interfaces.adoc still documents to implement the UserStorageProvider interface, but from reading the code and KEYCLOAK-16341 it is clear that new code should implement the UserStorageProvider.Stream interface as all the interesting methods in the old UserStorageProvider interface are marked as deprecated.

See KEYCLOAK-16341 and 84df008bc2173df12b6cbfa58047ebc120d1f413

Version

Doesn't matter

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

Describe the bug

This statement needs to be removed from the Server Administration Guide

Version

15

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

Describe the bug

See description of #1421 for the details.

Version

17.0.0-SNAPSHOT

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

Describe the bug

when creating the script as instructed ...,
META-INF/keycloak-scripts.json
my-script-authenticator.js
my-script-policy.js
my-script-mapper.js

after installation and the next time the user logs in, there is an error was reported that in the services directory was unable to find factory for AuthenticatorFactory.

Version

15.1.1

Expected behavior

In the documentation for creating a script using javascript, the services directory is not specified

Actual behavior

Error message without services directory :
[org.keycloak.services] (default task-4) KC-SERVICES0013: Failed authentication: java.lang.RuntimeException: Unable to find factory for AuthenticatorFactory: script-my-script-authenticator.js did you forget to declare it in a META-INF/services file?

How to Reproduce?

the error occurs only when you have already installed a JAVA module (also a .jar file) in the directory deployments

Anything else?

it's probably a system error, but I think it's necessary to mention a possible conflict in the documentation

Describe the bug

When clicking the below "Getting Started" link,

404 is displayed.

Version

16.1.1

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

Description

As the WebAuthn feature will be enabled by default even for the product version, it's necessary to revise documentation for that.

Describe the bug

The source for the next build of the Keycloak Server Administration guide is missing a step in the SSD section

https://github.com/keycloak/keycloak-documentation/blob/main/server_admin/topics/user-federation/sssd.adoc

Version

16

Expected behavior

The currently published is correct
https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd

Actual behavior

Step 2 needs to be reinstated in the source

Run the provisioning script available from the Keycloak distribution:

$ bin/federation-sssd-setup.sh

How to Reproduce?

See this file:
https://github.com/keycloak/keycloak-documentation/blob/main/server_admin/topics/user-federation/sssd.adoc

Anything else?

No response

Describe the bug

When configuring a database and providing only a JDBC URL containing credentials, the default values for db-username and db-password are always considered instead of using the credentials from the JDBC URL.

./kc.sh start-dev --db mssql --cache local --db-url "\"jdbc:sqlserver://localhost;databaseName=keycloak;username=user;password=pw\""

When running the example above, the credentials set in the JDBC URL are ignored and the connection is estabilished using the default values sa and password set to the db-username and db-password, respectively.

Version

16.1.1

Expected behavior

If credentials are set in the JDBC URL, they should take precedence over the defaults for db-username and db-password.

If both options are explicitly set, then their values should take effect.

Actual behavior

Credentials set in JDBC URL are ignored even though db-username and db-password weren't set.

How to Reproduce?

./kc.sh start-dev --db mssql --cache local --db-url "\"jdbc:sqlserver://localhost;databaseName=keycloak;username=user;password=pw\""

Anything else?

No response

Description

The docs mention a specific OpenShift version at some places, e.g. in the operator installation guide. This is not the correct place to mention the supported versions.

Discussion

No response

Motivation

No response

Details

No response

Describe the bug

I m trying to create a new group with clients role using following API

my curl:

curl --location --request POST 'https://hostname/auth/admin/realms/master/groups'
--header 'Content-Type: application/json'
--header 'Authorization: Bearer eyJhbGciOi...'
--data-raw '{
"name": "testingRole"
"path": "/testingRole",
"attributes":

{ "test_attr": [ "true" ] }
,
"realmRoles": [],
"clientRoles":

{ "TestClient": [ "ROLE_TEST" ] }
,
"subGroups": [],
"access":

{ "view": true, "manage": true, "manageMembership": true }
}'

Once done, you will see a new group named testingRole under master realm. But if we got to role mappings section and select testingRole from Client Roles, no roles are assigned.

Version

11.0.3 and 14.0.0

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response

Description

Add a documentation dist archive that contains the built documentation. This can then be uploaded to GitHub releases as part of a release.

Discussion

No response

Motivation

No response

Details

No response

Description

WebAuthn idless was community contribution already added into Keycloak "main" . This task is only about adding release notes for it.

Discussion

No response

Motivation

No response

Details

No response

Describe the bug

The link to the blog from the README goes to a dead link

Version

NA

Expected behavior

click link blog site opens

Actual behavior

click link gets a 404 error

How to Reproduce?

Go here https://github.com/keycloak/keycloak-documentation, scroll down to the beginning of the readme click the blog link

Anything else?

No response

Description

The SSL connection has been enabled in KEYCLOAK-19442 and it's needed to add the documentation about this change

Discussion

No response

Motivation

No response

Details

No response

Describe the bug

https://github.com/keycloak/keycloak-documentation/blob/main/release_notes/index.adoc is missing include for 16.1.0. The contents is there in https://github.com/keycloak/keycloak-documentation/blob/main/release_notes/topics/16_1_0.adoc

Version

16.1.0

Expected behavior

16.1.0 release notes are rendered in https://www.keycloak.org/docs/latest/release_notes/

Actual behavior

16.1.0 release notes are not rendered in https://www.keycloak.org/docs/latest/release_notes/

How to Reproduce?

No response

Anything else?

No response

Description

This is documentation issue for the codebase issue keycloak/keycloak#10887 .

Documentation will need to be updated in the release notes, migration and few other places.

Discussion

No response

Motivation

No response

Details

No response

Description

It should be possible to specify a timeout, say 2 minutes, for the updateToken HTTP request. Currently if the HTTP request is stuck as "Pending", Keycloak will be stuck and can't refresh the token anymore (due to how the updateToken method is implemented).

Discussion

No response

Motivation

If the HTTP request is stuck, Keycloak JavaScript adapter can't update the token anymore even with repeated updateToken requests.

Details

This could be specified as an option when constructing Keycloak. Alternatively (less ideal in my opinion), as a parameter to updateToken method.

The timeout is simple to implement with https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/timeout.

Hi,
When I browse the documentation, main page seems outdated. I was searching for the code to fix ot but im kind of confuse. The highlights of the page is for version 9.03 and the links for the APIs pages are redirecting to 9.0 while others are pointing out to the 'latest'

Describe the bug

Was getting "HTTP 404 Not Found" error while trying to invoke any of the admin REST endpoints, but it worked after i added "admin" to the base path. e.g http://localhost:9000/admin/realms/{realm}/users

Version

null

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Anything else?

No response