You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm currently implementing a custom RequiredAction together with an ActionToken and ActionTokenHandler in order to include an external system in our login/registration flow. The general setup is straightforward, and I was able to quickly get a working POC with some help from the quickstarts example here: https://github.com/keycloak/keycloak-quickstarts/tree/latest/action-token-required-action.
A minor problem I ran into is that required actions are not configurable at runtime, as there is only the following method for configuration in the factory interface, which would need to be configured in Quarkus config or standalone.xml, as I understand it:
This is a problem for me because we have a large number of tenants which each have their own realm, and which will each be running the external system under their own domain. Therefore, we need to configure the URL for each external system before Keycloak starts, and cannot change it at runtime. This is at odds with our current Terraform-based configuration management.
Is there a reason that required actions are not configurable at runtime? So far my best guess was just "noone needed this yet, so no need to make this configurable" 😄
One idea that came to mind was storing the URL of the external system in the realm metadata and looking it up like this:
This seems like a pragmatic (if a bit hacky) solution to get the job done, because we can set realm attributes via terraform easily enough. I'm open to suggestions of cleaner or better ways to solve this problem.
Possibly a pull request adding the ConfiguredProvider to RequiredActionFactory, if that is considered feasible and desired.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I'm currently implementing a custom RequiredAction together with an ActionToken and ActionTokenHandler in order to include an external system in our login/registration flow. The general setup is straightforward, and I was able to quickly get a working POC with some help from the quickstarts example here: https://github.com/keycloak/keycloak-quickstarts/tree/latest/action-token-required-action.
A minor problem I ran into is that required actions are not configurable at runtime, as there is only the following method for configuration in the factory interface, which would need to be configured in Quarkus config or standalone.xml, as I understand it:
This is a problem for me because we have a large number of tenants which each have their own realm, and which will each be running the external system under their own domain. Therefore, we need to configure the URL for each external system before Keycloak starts, and cannot change it at runtime. This is at odds with our current Terraform-based configuration management.
Is there a reason that required actions are not configurable at runtime? So far my best guess was just "noone needed this yet, so no need to make this configurable" 😄
One idea that came to mind was storing the URL of the external system in the realm metadata and looking it up like this:
This seems like a pragmatic (if a bit hacky) solution to get the job done, because we can set realm attributes via terraform easily enough. I'm open to suggestions of cleaner or better ways to solve this problem.
Possibly a pull request adding the
ConfiguredProvidertoRequiredActionFactory, if that is considered feasible and desired.Beta Was this translation helpful? Give feedback.
All reactions