Skip to content

Instantly share code, notes, and snippets.

View thomasdarimont's full-sized avatar
🏠
Working from home

Thomas Darimont thomasdarimont

🏠
Working from home
1.3k followers · 865 following
View GitHub Profile
@thomasdarimont
thomasdarimont / ssf-support-design.md
Last active April 20, 2026 22:50
Design Document for Shared Signals Framework Transmitter Capability for Keycloak.

SSF Transmitter Support in Keycloak

Design-and-scope overview of the Shared Signals Framework (SSF) transmitter feature landed on branch issue/gh-xxx-ssf-tx-support-v1. Keycloak acts as an SSF Transmitter — receivers authenticated via OAuth pull signed Security Event Tokens (SETs) describing user / session / credential events that happen in the realm.

Feature flag: Profile.Feature.SSF — experimental, opt-in.

@thomasdarimont
thomasdarimont / test.html
Created February 9, 2026 16:57
<div>
<span>A</span>
<input type="text" id="inputWithKeyboard">
</div>
<div>
<span>B</span>
<input id="inputWithoutKeyboard" type="text" readonly autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false">
</div>
@thomasdarimont
thomasdarimont / CustomAzureOidcIdentityProvider.java
Created February 3, 2026 17:22
Custom CustomAzureOidcIdentityProvider to support client assertions with managed identities
package com.github.thomasdarimont.keycloak.custom.idp.azure;
import com.google.auto.service.AutoService;
import lombok.val;
import org.keycloak.authentication.ClientAuthenticationFlowContext;
import org.keycloak.authentication.authenticators.client.FederatedJWTClientValidator;
import org.keycloak.broker.oidc.OIDCIdentityProvider;
import org.keycloak.broker.oidc.OIDCIdentityProviderConfig;
import org.keycloak.broker.oidc.OIDCIdentityProviderFactory;
import org.keycloak.broker.provider.IdentityProviderFactory;
@thomasdarimont
thomasdarimont / AcmeEmailSenderProvider.java
Created October 23, 2025 12:03
AcmeEmailSenderProvider
package com.github.thomasdarimont.keycloak.custom.email;
import com.google.auto.service.AutoService;
import org.keycloak.Config;
import org.keycloak.email.DefaultEmailAuthenticator;
import org.keycloak.email.DefaultEmailSenderProvider;
import org.keycloak.email.DefaultEmailSenderProviderFactory;
import org.keycloak.email.EmailAuthenticator;
import org.keycloak.email.EmailException;
import org.keycloak.email.EmailSenderProvider;
@thomasdarimont
thomasdarimont / README.md
Created October 9, 2025 23:28 — forked from Gregory-Ledray/README.md
Keycloak 26.4.0 on AWS with Fargate and Aurora Postgres

README

This gist is for reproducing keycloak/keycloak#43194

I built the Dockerfile with 3 sets of parameters, matching 26.2.3 with tag 260203, 26.3.5 with tag 260305, and 26.4.0 with tag 260400. Control which Dockerfile tag is used in CloudFormation with parameter overrides, like --parameter-overrides ImageUrl=public.ecr.aws/d4y1q9n5/keycloak-only-intelligentrxcom:260203

Steps for deploying each CloudFormation template are below. I did:

  1. Deployed 26.2.3 (worked)
  2. Updated by deploying with 26.3.5 (failed, and had to fix keycloak-only.yml)
  3. Updated by deploying with 26.2.5 aws cloudformation deploy --template-file ./keycloak-only.yml --stack-name KeycloakOnly --capabilities CAPABILITY_NAMED_IAM --parameter-overrides ImageUrl=public.ecr.aws/d4y1q9n5/keycloak-only-intelligentrxcom:260205 (success)
  4. Updated by deploying with 26.3.5 `aws cloudformation deploy --template-file ./keycloak-only.yml --stack-name KeycloakOnly --capabilities CAPABILITY_NAMED_IAM --parameter-o
@thomasdarimont
thomasdarimont / TokenStatusList.java
Last active October 9, 2025 14:04
Initial tests for working with Token Status List (TSL) compressed statuslists.
package net.openid.conformance.oauth.statuslists;
import java.io.ByteArrayOutputStream;
import java.util.Base64;
import java.util.zip.Deflater;
import java.util.zip.Inflater;
/**
* A wrapper around a compressed status list from the Token Status List (TSL).
* See: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-status-list-12
@thomasdarimont
thomasdarimont / KeycloakAtbcaApplication.java
Last active September 29, 2025 20:41
Attestation based Client Authentication Test-Client
package com.thomasdarimont.keycloak.labs.keycloakatbca;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.JWSVerifier;
@thomasdarimont
thomasdarimont / CustomKeycloakOIDCFilterWithPkceSupport.java
Last active May 7, 2025 20:57
PoC for a CustomKeycloakOIDCFilter with PKCE support
package demo;
import org.keycloak.adapters.AdapterTokenStore;
import org.keycloak.adapters.AuthenticatedActionsHandler;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.OAuthRequestAuthenticator;
import org.keycloak.adapters.OIDCAuthenticationError;
import org.keycloak.adapters.OIDCHttpFacade;
import org.keycloak.adapters.PreAuthActionsHandler;
import org.keycloak.adapters.RequestAuthenticator;
@thomasdarimont
thomasdarimont / gist:c7a90dabccbaed926fbfd388a4c5088a
Created May 7, 2025 12:09
Keycloak 26.0.9 Directory Structure
tom@tesla ~/dev/playground/keycloak/keycloak-26.0.9
$ tree
.
├── bin
│   ├── client
│   │   ├── keycloak-admin-cli-26.0.9.jar
│   │   └── lib
│   │   ├── bcprov-jdk18on-1.78.1.jar
│   │   ├── keycloak-crypto-default-26.0.9.jar
│   │   └── keycloak-crypto-fips1402-26.0.9.jar
@thomasdarimont
thomasdarimont / readme.md
Last active March 24, 2025 13:05
API Sketch - Using different types to restrict available fields 
class ClientCreate extends ClientUpdate {
    String type;
    // properties manadatory for creation
}

class ClientUpdate{
    String name;
 String description;