Re: [keycloak-user] Custom authentication

Hello Vagelis, Here's the outline of the solution as I see it: - you'll need a custom authenticator, this could be either Script authenticator or Java-based one (Authentication SPI [1]); - you'll need to modify or supply your own login page. The easiest way is to use Theme Resource JAR [2]; - next, you need to decide how would you store role secrets. I'd recommend to use the same mechanism Keycloak uses to store passwords and private keys, namely Credentials (see org.keycloak.credential.*); - then, you should establish 1-to-1 association between roles and secrets. You can use CredentialAttributeEntity (CREDENTIAL_ATTRIBUTE table) for that; - or maybe better introduce your own entity [3] for that association, because CREDENTIAL_ATTRIBUTE.VALUE doesn't have index, therefore queries will be slow; - finally, you need a mechanism to manage your role secrets. If you want to use Admin console GUI for that, you'll need to implement a REST endpoint [3] and your custom GUI theme [4]. So probably you'll end up with 2-3 providers and a theme, packaged in a single JAR. As always, I'd recommend my BeerCloak project [6] as a reference, since it contains many of the above. Feel free to ask questions, and good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro [1] https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi [2] https://www.keycloak.org/docs/latest/server_development/index.html#_theme... [3] https://www.keycloak.org/docs/latest/server_development/index.html#_exten... [4] https://www.keycloak.org/docs/latest/server_development/index.html#_exten... [5] https://www.keycloak.org/docs/latest/server_development/index.html#_themes [6] https://github.com/dteleguin/beercloak On Tue, 2018-11-13 at 19:07 +0200, Vagelis Savvas wrote: