I am trying to set up token exchange for a Teams Tab App and want to set up KeyCloak so I can exchange the Entra tokens for KeyCloak tokens.
I enabled
- KC_FEATURE=preview,token-exchange,admin-fine-grained-authz
and it looks like it is active:
./opt/keycloak/bin/kc.sh show-config
:
kc.feature = preview,token-exchange,admin-fine-grained-authz (ENV)
:
But when I am in the admin console I still cannot see the Permissions tab:
I'm using quay.io/keycloak/keycloak:26.1.3
What am I missing?
Files:services:
idp2-database:
image: postgres:17.0
volumes:
- ./docker-volumes/userDatabase2:/var/lib/postgresql/data
restart: always
ports:
- "45001:5432"
environment:
POSTGRES_DB: userDb
POSTGRES_USER: keycloakUser
POSTGRES_PASSWORD: keycloakUser
container_name: idp2-database
networks:
- keycloak2-and-postgres-network
healthcheck:
test: ["CMD", "psql", "-U", "keycloakUser", "-d", "userDb", "-c", "SELECT 1"]
interval: 10s
timeout: 5s
retries: 5
idp2-keycloak:
image: quay.io/keycloak/keycloak:26.1.3
container_name: idp2-keycloak
restart: always
command: ["start", "--https-certificate-file=/opt/keycloak/certs/tls.crt", "--https-certificate-key-file=/opt/keycloak/certs/tls.key", "--spi-theme-static-max-age=-1", "--spi-theme-cache-themes=false", "--spi-theme-cache-templates=false"]
environment:
# features (token-exchange, admin-fine-grained-authz)
- KC_FEATURE=preview,token-exchange,admin-fine-grained-authz
# admin user
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=admin
# database
- KC_DB=postgres
- KC_DB_URL=jdbc:postgresql://idp2-database:5432/userDb
- KC_DB_USERNAME=keycloakUser
- KC_DB_PASSWORD=keycloakUser
# health
- KC_HEALTH_ENABLED=true
# logging
- KEYCLOAK_LOGLEVEL=DEBUG
# hosting
- KC_HOSTNAME=localhost
- KEYCLOAK_FRONTEND_URL=https://localhost:45000/auth
- KC_HOSTNAME_STRICT=false
- KC_HOSTNAME_STRICT_HTTPS=true
- KC_HTTP_ENABLED=false
- KC_HTTPS_PORT=8443
# - KC_HTTP_MAX_HEADER_SIZE=32768
- QUARKUS_HTTP_HTTP2=false
ports:
- "45000:8443"
volumes:
- ./docker-volumes/keycloak2/standalone/data:/opt/keycloak/standalone/data
- ./docker-volumes/keycloak2/certs:/opt/keycloak/certs
- ../src/themes:/opt/keycloak/themes
- ./docker-volumes/keycloak2/providers:/opt/keycloak/providers
- ./docker-volumes/keycloak2/standalone/configuration:/opt/keycloak/standalone/configuration
depends_on:
idp2-database:
condition: service_healthy
networks:
- keycloak2-and-postgres-network
networks:
keycloak2-and-postgres-network:
cert snippet:
openssl req -newkey rsa:2048 -nodes \
-keyout ./docker-volumes/keycloak/certs/tls.key \
-x509 -days 365 \
-out ./docker-volumes/keycloak/certs/tls.crt \
-subj "/CN=localhost" \
-addext "subjectAltName=DNS:localhost,DNS:127.0.0.1"
I am trying to set up token exchange for a Teams Tab App and want to set up KeyCloak so I can exchange the Entra tokens for KeyCloak tokens.
I enabled
- KC_FEATURE=preview,token-exchange,admin-fine-grained-authz
and it looks like it is active:
./opt/keycloak/bin/kc.sh show-config
:
kc.feature = preview,token-exchange,admin-fine-grained-authz (ENV)
:
But when I am in the admin console I still cannot see the Permissions tab:
I'm using quay.io/keycloak/keycloak:26.1.3
What am I missing?
Files:services:
idp2-database:
image: postgres:17.0
volumes:
- ./docker-volumes/userDatabase2:/var/lib/postgresql/data
restart: always
ports:
- "45001:5432"
environment:
POSTGRES_DB: userDb
POSTGRES_USER: keycloakUser
POSTGRES_PASSWORD: keycloakUser
container_name: idp2-database
networks:
- keycloak2-and-postgres-network
healthcheck:
test: ["CMD", "psql", "-U", "keycloakUser", "-d", "userDb", "-c", "SELECT 1"]
interval: 10s
timeout: 5s
retries: 5
idp2-keycloak:
image: quay.io/keycloak/keycloak:26.1.3
container_name: idp2-keycloak
restart: always
command: ["start", "--https-certificate-file=/opt/keycloak/certs/tls.crt", "--https-certificate-key-file=/opt/keycloak/certs/tls.key", "--spi-theme-static-max-age=-1", "--spi-theme-cache-themes=false", "--spi-theme-cache-templates=false"]
environment:
# features (token-exchange, admin-fine-grained-authz)
- KC_FEATURE=preview,token-exchange,admin-fine-grained-authz
# admin user
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=admin
# database
- KC_DB=postgres
- KC_DB_URL=jdbc:postgresql://idp2-database:5432/userDb
- KC_DB_USERNAME=keycloakUser
- KC_DB_PASSWORD=keycloakUser
# health
- KC_HEALTH_ENABLED=true
# logging
- KEYCLOAK_LOGLEVEL=DEBUG
# hosting
- KC_HOSTNAME=localhost
- KEYCLOAK_FRONTEND_URL=https://localhost:45000/auth
- KC_HOSTNAME_STRICT=false
- KC_HOSTNAME_STRICT_HTTPS=true
- KC_HTTP_ENABLED=false
- KC_HTTPS_PORT=8443
# - KC_HTTP_MAX_HEADER_SIZE=32768
- QUARKUS_HTTP_HTTP2=false
ports:
- "45000:8443"
volumes:
- ./docker-volumes/keycloak2/standalone/data:/opt/keycloak/standalone/data
- ./docker-volumes/keycloak2/certs:/opt/keycloak/certs
- ../src/themes:/opt/keycloak/themes
- ./docker-volumes/keycloak2/providers:/opt/keycloak/providers
- ./docker-volumes/keycloak2/standalone/configuration:/opt/keycloak/standalone/configuration
depends_on:
idp2-database:
condition: service_healthy
networks:
- keycloak2-and-postgres-network
networks:
keycloak2-and-postgres-network:
cert snippet:
openssl req -newkey rsa:2048 -nodes \
-keyout ./docker-volumes/keycloak/certs/tls.key \
-x509 -days 365 \
-out ./docker-volumes/keycloak/certs/tls.crt \
-subj "/CN=localhost" \
-addext "subjectAltName=DNS:localhost,DNS:127.0.0.1"
- 1 I put "KC_FEATURES: preview,token-exchange,admin-fine-grained-authz" in docker-compose(using v 26.1.3). And can see the "Permissions" tab when I create "test" client in "Turbo" realm. – Bench Vue Commented Mar 7 at 19:59
- @BenchVue thanks for testing. I created a second instance just to be sure, but still no Permissions tab. Is maybe one of my other configurations conflicting with it? I added the full config. – Ni2Be Commented Mar 8 at 7:10
- Damn, I found it. It was just a typo, should be KC_FEATURES not KC_FEATURE – Ni2Be Commented Mar 8 at 7:20
1 Answer
Reset to default 0It was just a typo, should be KC_FEATURES not KC_FEATURE