[keycloak-user] Custom authentication

Dmitry Telegin dt at acutus.pro
Tue Nov 13 22:02:21 EST 2018 

Hello Vagelis,

Here's the outline of the solution as I see it:
- you'll need a custom authenticator, this could be either Script authenticator or Java-based one (Authentication SPI [1]);
- you'll need to modify or supply your own login page. The easiest way is to use Theme Resource JAR [2];
- next, you need to decide how would you store role secrets. I'd recommend to use the same mechanism Keycloak uses to store passwords and private keys, namely Credentials (see org.keycloak.credential.*);
- then, you should establish 1-to-1 association between roles and secrets. You can use CredentialAttributeEntity (CREDENTIAL_ATTRIBUTE table) for that;
- or maybe better introduce your own entity [3] for that association, because CREDENTIAL_ATTRIBUTE.VALUE doesn't have index, therefore queries will be slow;
- finally, you need a mechanism to manage your role secrets. If you want to use Admin console GUI for that, you'll need to implement a REST endpoint [3] and your custom GUI theme [4]. 

So probably you'll end up with 2-3 providers and a theme, packaged in a single JAR. As always, I'd recommend my BeerCloak project [6] as a reference, since it contains many of the above.

Feel free to ask questions, and good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

[1] https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi
[2] https://www.keycloak.org/docs/latest/server_development/index.html#_theme_resource
[3] https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_jpa
[4] https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_rest
[5] https://www.keycloak.org/docs/latest/server_development/index.html#_themes
[6] https://github.com/dteleguin/beercloak

On Tue, 2018-11-13 at 19:07 +0200, Vagelis Savvas wrote:
> Hello,
> I'd like some advice on how to go about implementing the following 
> custom authentication scenario:
>   - A user besides the standard username and password optionally 
> provides one more secret in the login screen.
>   - The secret is associated with a realm role (one to one) by the realm 
> admin, and if matched the user is dynamically added to the corresponding 
> role.
>   - If the secret isn't provided the user is normally authenticated and 
> gets whatever roles he is assigned, like the default behavior
> 
> Of course I would like to avoid implementing an SPI for that :-) but if 
> it is not possible to avoid it I'd appreciate any insights and advice.
> I admit I haven't carefully read the relevant SPI extension docs yet, 
> hoping that there is some way of doing it without an SPI extension.
> 
> Cheers,
> 
> Vagelis
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list