Skip to content

Instantly share code, notes, and snippets.

View thomasdarimont's full-sized avatar
🏠
Working from home

Thomas Darimont thomasdarimont

🏠
Working from home
1.3k followers · 863 following
View GitHub Profile
@thomasdarimont
thomasdarimont / README.md
Created October 9, 2025 23:28 — forked from Gregory-Ledray/README.md
Keycloak 26.4.0 on AWS with Fargate and Aurora Postgres

README

This gist is for reproducing keycloak/keycloak#43194

I built the Dockerfile with 3 sets of parameters, matching 26.2.3 with tag 260203, 26.3.5 with tag 260305, and 26.4.0 with tag 260400. Control which Dockerfile tag is used in CloudFormation with parameter overrides, like --parameter-overrides ImageUrl=public.ecr.aws/d4y1q9n5/keycloak-only-intelligentrxcom:260203

Steps for deploying each CloudFormation template are below. I did:

  1. Deployed 26.2.3 (worked)
  2. Updated by deploying with 26.3.5 (failed, and had to fix keycloak-only.yml)
  3. Updated by deploying with 26.2.5 aws cloudformation deploy --template-file ./keycloak-only.yml --stack-name KeycloakOnly --capabilities CAPABILITY_NAMED_IAM --parameter-overrides ImageUrl=public.ecr.aws/d4y1q9n5/keycloak-only-intelligentrxcom:260205 (success)
  4. Updated by deploying with 26.3.5 `aws cloudformation deploy --template-file ./keycloak-only.yml --stack-name KeycloakOnly --capabilities CAPABILITY_NAMED_IAM --parameter-o
@thomasdarimont
thomasdarimont / TokenStatusList.java
Last active October 9, 2025 14:04
Initial tests for working with Token Status List (TSL) compressed statuslists.
package net.openid.conformance.oauth.statuslists;
import java.io.ByteArrayOutputStream;
import java.util.Base64;
import java.util.zip.Deflater;
import java.util.zip.Inflater;
/**
* A wrapper around a compressed status list from the Token Status List (TSL).
* See: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-status-list-12
@thomasdarimont
thomasdarimont / KeycloakAtbcaApplication.java
Last active September 29, 2025 20:41
Attestation based Client Authentication Test-Client
package com.thomasdarimont.keycloak.labs.keycloakatbca;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.JWSVerifier;
@thomasdarimont
thomasdarimont / CustomKeycloakOIDCFilterWithPkceSupport.java
Last active May 7, 2025 20:57
PoC for a CustomKeycloakOIDCFilter with PKCE support
package demo;
import org.keycloak.adapters.AdapterTokenStore;
import org.keycloak.adapters.AuthenticatedActionsHandler;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.OAuthRequestAuthenticator;
import org.keycloak.adapters.OIDCAuthenticationError;
import org.keycloak.adapters.OIDCHttpFacade;
import org.keycloak.adapters.PreAuthActionsHandler;
import org.keycloak.adapters.RequestAuthenticator;
@thomasdarimont
thomasdarimont / gist:c7a90dabccbaed926fbfd388a4c5088a
Created May 7, 2025 12:09
Keycloak 26.0.9 Directory Structure
tom@tesla ~/dev/playground/keycloak/keycloak-26.0.9
$ tree
.
├── bin
│   ├── client
│   │   ├── keycloak-admin-cli-26.0.9.jar
│   │   └── lib
│   │   ├── bcprov-jdk18on-1.78.1.jar
│   │   ├── keycloak-crypto-default-26.0.9.jar
│   │   └── keycloak-crypto-fips1402-26.0.9.jar
@thomasdarimont
thomasdarimont / readme.md
Last active March 24, 2025 13:05
API Sketch - Using different types to restrict available fields 
class ClientCreate extends ClientUpdate {
    String type;
    // properties manadatory for creation
}

class ClientUpdate{
    String name;
 String description;
@thomasdarimont
thomasdarimont / readme.md
Last active March 19, 2025 13:17
Example Realm with a Configuration for OAuth2 Resource Indicators based on https://github.com/keycloak/keycloak/pull/35711

This import creates a new resource-indicators realm with a photoz client. The photoz client defines available resource-indicators via the authorization-services resources.

Create a user tester with password test in the resource-indicators realm.

Then you should be able to execute the following requests via curl.

Note the resource parameter which enables the client to select which resources should be associated with the authorization.

@thomasdarimont
thomasdarimont / JsonSchemaDemo.java
Last active March 10, 2025 22:41
JSON Schema Validation Example
package demo;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.networknt.schema.JsonNodePath;
import com.networknt.schema.JsonSchema;
import com.networknt.schema.JsonSchemaFactory;
import com.networknt.schema.SpecVersion;
import com.networknt.schema.ValidationMessage;
@thomasdarimont
thomasdarimont / healthcheck.sh
Created January 9, 2025 09:27
Keycloak Healthcheck for docker without curl
#!/bin/bash
exec 3<>/dev/tcp/localhost/8080
echo -e "GET /auth/health/ready HTTP/1.1\nhost: localhost:8080\n" >&3
timeout --preserve-status 1 cat <&3 | grep -m 1 status | grep -m 1 UP
ERROR=$?
exec 3<&-
exec 3>&-
@thomasdarimont
thomasdarimont / CookieSecurityContextRepository.java
Created December 6, 2024 10:39
@Component
public class CookieSecurityContextRepository implements SecurityContextRepository {
private static final String EMPTY_CREDENTIALS = "";
private static final String ANONYMOUS_USER = "anonymousUser";
private final String cookieHmacKey;
public CookieSecurityContextRepository(@Value("${auth.cookie.hmac-key}") String cookieHmacKey) {
this.cookieHmacKey = cookieHmacKey;