Keycloak Security Implementation
Configuration of the Keycloak implementation of the Authenticator API.
| Property | Default | Description | 
|---|---|---|
| causeway.security.keycloak. | The base URL for the keycloak server. For example, if running a keycloak using Docker container, such as: docker run -p 9090:8080 \ -e KEYCLOAK_USER=admin \ -e KEYCLOAK_PASSWORD=admin \ quay.io/keycloak/keycloak:19.0.1 , then the URL would be "http://localhost:9090/auth". | |
| causeway.security.keycloak. | If  | |
| causeway.security.keycloak. | true | Whether to (attempt to) extract client roles and copy into the  By default, client roles are extracted using the "User Client Role" mapping type, into a token claim name "resource_access.${client_id}.roles" This has been made a configuration option because some versions of Keycloak seemingly do not correctly extract these roles, see for example this discussion and KEYCLOAK-9874. | 
| causeway.security.keycloak. | true | Whether to (attempt to) extract realm roles and copy into the  By default, realm roles are obtained from the token claims using the "User Realm Role" mapping type, into a token claim name "realm_access.roles" This has been made a configuration option because some versions of Keycloak seemingly do not correctly extract these roles, see for example this discussion and KEYCLOAK-9874. | 
| causeway.security.keycloak. | Whether to (attempt to) extract any available roles and into the  This is to support any custom mapping type which maps into a token claim name called simply "roles" This has been made a configuration option so that the workaround described in this discussion and KEYCLOAK-9874 can be implemented. | |
| causeway.security.keycloak. | /wicket | Specifies where users will be redirected after authenticating successfully if they have not visited a secured page prior to authenticating or {@code alwaysUse} is true. | 
| causeway.security.keycloak.realm | The name of the realm for the Apache Causeway application, as configured in Keycloak. | |
| causeway.security.keycloak. | If roles are to be extracted, this allows the resultant role to be optionally prefixed. | |
| causeway.security.keycloak. | If  |