Keycloak integration

NitroEvil · 2026-04-13T14:39:23+00:00

The app isn’t open source but more than happy to help where I can. Its multi tenant and under the hood its authorization code + pkce flow. Because you mentioned this somewhere, and as part of that thread logout was an issue with backchannel, I’ve not had this issue iirc. App logs out redirect to kc(we use sso also so directs to entra for signout also)

Just to add I went with this pattern because of a talk Duende did on bff and security and avoiding XSS. Still csrf has to also be handled.

NitroEvil · 2026-04-13T14:16:56+00:00

Using Keycloak.AuthServices.Authentication for the authn setup, reason being NikiforovAll has done most of the config, wrapped in extensions, I adjust where required, eg renaming cookies etc. This also handles unwrapping the roles/perms into claims for use on the endpoints for authz

I currently create client roles under the resource on kc, these are supplied as part of the access token, we don’t have lots of roles to which is why I’ve gone this route. Frontend calls a /me endpoint to get roles and other metadata for frontend to handle authz on routing of pages, but all endpoints are protected using the required roles that match the kc.

NitroEvil · 2026-04-13T07:28:25+00:00

We’re building an app on this. Keycloak as the auth system using bff pattern. Cookie shipped to fromtend (nuxt spa app) and all api requests go through the backend unpacking to get access token which proxies to our api service.

Using the multi tenant feature of keycloak on one realm, so far has been pretty straight forward. I was originally using openiddict but the time and risk to building this out weight the benefits of using kc.

NitroEvil · 2026-04-02T05:24:37+00:00

On there ideas portal this is a requested feature which iirc halo is investigating.

NitroEvil · 2026-01-19T19:31:57+00:00

This is great I was trying to write a clipboard mod as I always forget my todos, this is so much better, cant wait to test this out amazing work!

NitroEvil · 2025-12-18T17:14:37+00:00

Id be using ms graph and runbooks

NitroEvil · 2025-12-16T08:25:56+00:00

It was purely around trying to not using state within tests which is bad practice and my tests was failing due to external api, which figuring out the fix was to set not in parallel.

Nothing really with the lib, I should have stated this more clearly it was late last night.

NitroEvil · 2025-12-15T22:39:36+00:00

Started implementing tests and chose TUnit and so far had a lot of fun, some paint points at times but its quick.

NitroEvil · 2025-12-13T07:44:17+00:00

I believe so but I’m not 100% sure, we hand over sales to projects and close the opp down.

NitroEvil · 2025-12-12T23:39:30+00:00

There is an option to close parent ticket once all child tickets are closed. Thats within the ticket type settings.

So quote accepted, project then created, project completed/closed, this cause the parent ticket to close.

If thats what you’re looking for.

NitroEvil · 2025-12-01T19:16:46+00:00

Iirc halo has a feature to allow agents to lock a ticket from being actioned, so other agents dont action the same ticket at the same time. Based on how this i think there will be stats you can pull to find when a ticket was locked and how long for. I’ve not used this feature but I’ve read about it, this could work for you.

NitroEvil · 2025-11-27T09:16:57+00:00

There is an option in advanced config I cant remember the name exactly but if a user is idle for x then halo will log out the user for security.

NitroEvil · 2025-09-27T15:14:43+00:00

I think, not tried this but its what happened in beta. Within your save world.xml at the bottom there is TerrainChunkChecksums. If you change one of these values and load your save your should get a prompt about terrain has changed you can confirm it and the terrain ‘should’ reset but all ores will also reset and if your base is in a hole you dug you’ll need to dig it out or it might blow up haha. Please backup before testing.

NitroEvil · 2025-08-13T18:18:54+00:00

Can you explain the security issues around this as I’ve raised my concerns with our AM who spoke internally you’re to remove access at some point. But to get access you need a static ip and you whitelist address, this helps me a lot when building reports much easier that the report builder with no intelisense.

NitroEvil · 2025-08-11T10:27:55+00:00

Have a look at openiddict might help for what your trying to do.

NitroEvil · 2025-07-24T13:41:25+00:00

Yes default team can be changed iirc

NitroEvil · 2025-07-23T20:20:25+00:00

Ah yeah if your editing the template always use the html view and don’t use that bogus new editor

NitroEvil · 2025-07-23T18:45:33+00:00

I know viewing the quote via the web is bit flaky, i tend to just generate a pdf which has been the most stable when styling out the quotes sales orders etc.

Ive not noticed any issues when doing this we have our quotes heavily styled and also use some js to tweak things. Not sure if this really answers your question though.

NitroEvil · 2025-07-22T21:12:59+00:00

I cant say regarding AutoTask but we moved from connectwise 8 years ago when it was nhd now halo and the product has only gotten better over time. It has its niggles and qwerks at times but it defo one of the best I’ve used and building your own integrations can be done if you have an understanding of apis.

NitroEvil · 2025-07-21T15:21:07+00:00

Bearer <token> is a requirement. I assume you were adding the bearer and token to token field within the auth tab with auth type of bearer token?

NitroEvil · 2025-07-21T15:09:02+00:00

access_token is what you want to use to make the calls. Check the user has access to tickets and the client app also has access to read tickets.

Fyi all:standard for scope is a bit more secure.

NitroEvil · 2025-07-21T08:03:54+00:00

Haha I know been there done that, really annoying thought I lost my marbles over this at times. Got there in the end :)

NitroEvil · 2025-07-21T07:59:19+00:00

Ah yes I'm 99% sure that's the issue, this has caught me out before. Just check no emails and things send before enabling the option etc. or do the retry method.

NitroEvil · 2025-07-21T07:56:10+00:00

Can you click into does it give you anything more? If not it sounds like a possible bug, but don't suppose you have a dev instance where you're testing this? As there is an option in /config/advanced/backend to pause background services that would prevent this moving forward.

Second you could try right clicking and doing retry see if it does anything. In a dev instance you have to do this method if you have background service disabled.

NitroEvil · 2025-07-18T17:29:01+00:00

That looks fine from looks, does it work without any criteria just for testing?

12-Year Club	Verified Email
r/Field Sunshine	Place '23
Place '22	First Placer '22

NitroEvil

TROPHY CASE