WildFly 34 Model Reference

Configuration for a Keycloak realm. If you have multiple deployments secured by the same realm you can share the realm configuration here.

Attributes (41)

  • allow-any-hostname If set to 'true', hostname verification will be skipped when communicating with Keycloak over HTTPS. This can be useful in testing environments. This should never be set to 'true' in production environments as it disables verification of SSL certificates.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • always-refresh-token If set to 'true', the subsystem refreshes the token every time your application receives a web request, and a new request is sent to Keycloak to obtain a new access token. This can result in a higher load on the Keycloak and may impact the performance of the application.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • auth-server-url The base URL of the Keycloak authorization server. It is recommended to use the 'provider-url' instead.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • 🅿 authentication-request-format The format to use for specifying query parameters in authentication request.
    • Attribute Value
    Default Value oauth2
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Allowed Values oauth2
    request
    request_uri
    Stability preview
  • autodetect-bearer-only Whether to auto-detect SOAP or REST clients based on headers like 'X-Requested-With', 'SOAPAction' or 'Accept'. If set to 'true', the subsystem sends an HTTP 401 status code to unauthenticated SOAP or REST clients instead of redirecting them to the Keycloak login page. Set the value to 'true' if your application serves both applications and web services.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • client-key-password The password for the client key. This is required if 'client-keystore' has been specified.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • client-keystore The path to the client keystore to use when communicating with Keycloak over HTTPS. This is optional.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • client-keystore-password The password for the client keystore. This is required if 'client-keystore' has been specified.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • confidential-port The confidential port used by Keycloak when communicating securely over SSL/TLS.
    • Attribute Value
    Default Value 8443
    Type INT
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • connection-pool-size The connection pool size to use when communicating with Keycloak.
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min 0
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • connection-timeout-millis The timeout for establishing a connection with the remote host in milliseconds. A timeout value of zero is interpreted as an infinite timeout, and a negative value is interpreted as undefined.
    • Attribute Value
    Type LONG
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • connection-ttl-millis The amount of time in milliseconds for the connection to be kept alive. A value less than or equal to zero is interpreted as an infinite value.
    • Attribute Value
    Type LONG
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • cors-allowed-headers If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Allow-Headers' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • cors-allowed-methods If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Allow-Methods' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • cors-exposed-headers If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Expose-Headers' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • cors-max-age If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Max-Age' header. If not set, this header is not returned in CORS responses.
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • disable-trust-manager Whether or not to make use of a trust manager when communicating with Keycloak over HTTPS. This is optional. This should be set to 'true' only during development and never in production as it disables verification of SSL certificates.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • enable-cors Enable the Keycloak Cross-Origin Resource Sharing (CORS) support. This is optional.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • expose-token If set to 'true', an authenticated browser client can obtain the signed access token (through a Javascript HTTP invocation) via the URL 'root/k_query_bearer_token'. This is optional.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • ignore-oauth-query-parameter Disable query parameter parsing for the 'access_token'. Users will not be able to authenticate if they only pass in an 'access_token'.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • principal-attribute Indicates which value from the ID token to use as the principal for the identity. The principal defaults to the value of the 'sub' if the token attribute is null.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • provider-url The OpenID provider URL.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • proxy-url The URL for the HTTP proxy if one is used.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • realm-public-key The public key of the Keycloak realm in PEM format. This is optional. It is not recommended to set it. If the public key is not set, the subsystem downloads the public key from Keycloak when needed. If the public key is set, the subsystem never downloads new keys from Keycloak, breaking the subsystem when Keycloak rotates its keys.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • register-node-at-startup If set to 'true', the subsystem sends a registration request to Keycloak. This attribute is useful only when your application is clustered.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • register-node-period If 'register-node-at-startup' is set to 'true', this specifies the frequency (in seconds) at which the node should be re-registered.
    • Attribute Value
    Type INT
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • 🅿 request-object-encryption-alg-value The encryption algorithm used to encrypt the request object.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability preview
  • 🅿 request-object-encryption-enc-value The content encryption algorithm used to encrypt the request object.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability preview
  • 🅿 request-object-signing-algorithm The algorithm used to sign the request object. The default value fot this attribute is "none".
    • Attribute Value
    Default Value none
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability preview
  • 🅿 request-object-signing-key-alias The key alias when a key pair is used to sign request objects.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability preview
  • 🅿 request-object-signing-key-password The key password when a key pair is used to sign request objects.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability preview
  • 🅿 request-object-signing-keystore-file The path to the keystore to use when signing a request object. This is required if an asymmetric signing algorithm for request object is indicated.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability preview
  • 🅿 request-object-signing-keystore-password The keystore password when a key pair is used to sign request objects.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability preview
  • 🅿 request-object-signing-keystore-type The keystore type used to specify the client key pair used to sign request objects.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability preview
  • socket-timeout-millis The timeout for the socket waiting for data after establishing the connection in milliseconds. A timeout value of zero is interpreted as an infinite timeout, and a negative value is interpreted as undefined.
    • Attribute Value
    Type LONG
    Nillable true
    Expressions Allowed true
    Min -1
    Max 2,147,483,647
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • ssl-required Whether the communication with Keycloak should be over HTTPS. Valid values are: 'all' - to always require HTTPS, 'external' - to only require HTTPS for external requests, 'none' - if HTTPS is not required. This should be set to 'all' in production environments.
    • Attribute Value
    Default Value external
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Allowed Values ALL
    EXTERNAL
    NONE
    Stability default
  • token-signature-algorithm The token signature algorithm used by Keycloak.
    • Attribute Value
    Default Value RS256
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • token-store Defines whether to store account information in an HTTP session or in a cookie.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • truststore The path to the truststore to use when communicating with Keycloak over HTTPS. Prefix the path with 'classpath:' to obtain the truststore from the deployment's classpath.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • truststore-password The password for the truststore.
    • Attribute Value
    Type STRING
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default
  • verify-token-audience If set to 'true', then during bearer-only authentication, the subsystem verifies if the token contains the client name defined as an audience. It is recommended to set to 'true' for improved security.
    • Attribute Value
    Default Value false
    Type BOOLEAN
    Nillable true
    Expressions Allowed true
    Storage configuration
    Access Type read-write
    Restart Required no-services
    Stability default

Operations (2)

  • add Add a Keycloak realm definition to the subsystem.
    Request Parameter Type Required Expressions Allowed Default value Description
    allow-any-hostname BOOLEAN false true false If set to 'true', hostname verification will be skipped when communicating with Keycloak over HTTPS. This can be useful in testing environments. This should never be set to 'true' in production environments as it disables verification of SSL certificates.
    always-refresh-token BOOLEAN false true false If set to 'true', the subsystem refreshes the token every time your application receives a web request, and a new request is sent to Keycloak to obtain a new access token. This can result in a higher load on the Keycloak and may impact the performance of the application.
    auth-server-url STRING false true The base URL of the Keycloak authorization server. It is recommended to use the 'provider-url' instead.
    authentication-request-format STRING false true oauth2 The format to use for specifying query parameters in authentication request.
    autodetect-bearer-only BOOLEAN false true false Whether to auto-detect SOAP or REST clients based on headers like 'X-Requested-With', 'SOAPAction' or 'Accept'. If set to 'true', the subsystem sends an HTTP 401 status code to unauthenticated SOAP or REST clients instead of redirecting them to the Keycloak login page. Set the value to 'true' if your application serves both applications and web services.
    client-key-password STRING false true The password for the client key. This is required if 'client-keystore' has been specified.
    client-keystore STRING false true The path to the client keystore to use when communicating with Keycloak over HTTPS. This is optional.
    client-keystore-password STRING false true The password for the client keystore. This is required if 'client-keystore' has been specified.
    confidential-port INT false true 8443 The confidential port used by Keycloak when communicating securely over SSL/TLS.
    connection-pool-size INT false true The connection pool size to use when communicating with Keycloak.
    connection-timeout-millis LONG false true The timeout for establishing a connection with the remote host in milliseconds. A timeout value of zero is interpreted as an infinite timeout, and a negative value is interpreted as undefined.
    connection-ttl-millis LONG false true The amount of time in milliseconds for the connection to be kept alive. A value less than or equal to zero is interpreted as an infinite value.
    cors-allowed-headers STRING false true If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Allow-Headers' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    cors-allowed-methods STRING false true If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Allow-Methods' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    cors-exposed-headers STRING false true If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Expose-Headers' header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.
    cors-max-age INT false true If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the 'Access-Control-Max-Age' header. If not set, this header is not returned in CORS responses.
    disable-trust-manager BOOLEAN false true false Whether or not to make use of a trust manager when communicating with Keycloak over HTTPS. This is optional. This should be set to 'true' only during development and never in production as it disables verification of SSL certificates.
    enable-cors BOOLEAN false true false Enable the Keycloak Cross-Origin Resource Sharing (CORS) support. This is optional.
    expose-token BOOLEAN false true false If set to 'true', an authenticated browser client can obtain the signed access token (through a Javascript HTTP invocation) via the URL 'root/k_query_bearer_token'. This is optional.
    ignore-oauth-query-parameter BOOLEAN false true false Disable query parameter parsing for the 'access_token'. Users will not be able to authenticate if they only pass in an 'access_token'.
    principal-attribute STRING false true Indicates which value from the ID token to use as the principal for the identity. The principal defaults to the value of the 'sub' if the token attribute is null.
    provider-url STRING false true The OpenID provider URL.
    proxy-url STRING false true The URL for the HTTP proxy if one is used.
    realm-public-key STRING false true The public key of the Keycloak realm in PEM format. This is optional. It is not recommended to set it. If the public key is not set, the subsystem downloads the public key from Keycloak when needed. If the public key is set, the subsystem never downloads new keys from Keycloak, breaking the subsystem when Keycloak rotates its keys.
    register-node-at-startup BOOLEAN false true false If set to 'true', the subsystem sends a registration request to Keycloak. This attribute is useful only when your application is clustered.
    register-node-period INT false true If 'register-node-at-startup' is set to 'true', this specifies the frequency (in seconds) at which the node should be re-registered.
    request-object-encryption-alg-value STRING false true The encryption algorithm used to encrypt the request object.
    request-object-encryption-enc-value STRING false true The content encryption algorithm used to encrypt the request object.
    request-object-signing-algorithm STRING false true none The algorithm used to sign the request object. The default value fot this attribute is "none".
    request-object-signing-key-alias STRING false true The key alias when a key pair is used to sign request objects.
    request-object-signing-key-password STRING false true The key password when a key pair is used to sign request objects.
    request-object-signing-keystore-file STRING false true The path to the keystore to use when signing a request object. This is required if an asymmetric signing algorithm for request object is indicated.
    request-object-signing-keystore-password STRING false true The keystore password when a key pair is used to sign request objects.
    request-object-signing-keystore-type STRING false true The keystore type used to specify the client key pair used to sign request objects.
    socket-timeout-millis LONG false true The timeout for the socket waiting for data after establishing the connection in milliseconds. A timeout value of zero is interpreted as an infinite timeout, and a negative value is interpreted as undefined.
    ssl-required STRING false true external Whether the communication with Keycloak should be over HTTPS. Valid values are: 'all' - to always require HTTPS, 'external' - to only require HTTPS for external requests, 'none' - if HTTPS is not required. This should be set to 'all' in production environments.
    token-signature-algorithm STRING false true RS256 The token signature algorithm used by Keycloak.
    token-store STRING false true Defines whether to store account information in an HTTP session or in a cookie.
    truststore STRING false true The path to the truststore to use when communicating with Keycloak over HTTPS. Prefix the path with 'classpath:' to obtain the truststore from the deployment's classpath.
    truststore-password STRING false true The password for the truststore.
    verify-token-audience BOOLEAN false true false If set to 'true', then during bearer-only authentication, the subsystem verifies if the token contains the client name defined as an audience. It is recommended to set to 'true' for improved security.
  • remove Remove a Keycloak realm from the subsystem.