Skip to content
/ keycloak-login-attribute Public

Adds the possibility for Keycloak to connect via a user attribute

License

Apache-2.0 license
35 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cnieg/keycloak-login-attribute

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

240 Commits
.github/workflows
.github/workflows
 
 
.mvn/wrapper
.mvn/wrapper
 
 
src
src
 
 
.gitignore
.gitignore
 
 
.releaserc.yml
.releaserc.yml
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
authenticator_config.png
authenticator_config.png
 
 
browser_flow_config.png
browser_flow_config.png
 
 
mvnw
mvnw
 
 
mvnw.bat
mvnw.bat
 
 
pom.xml
pom.xml
 
 
renovate.json
renovate.json
 
 
reset_credentials_flow_config.png
reset_credentials_flow_config.png
 
 

Repository files navigation

CI semantic-release License

Keycloak Login Attribute SPI

An Authentication Service Provider that adds the possibility for Keycloak to connect via a user attribute.

Use Case

If the username entered in the form

  • does not match a primary identifier
  • does not match email (if this option is enabled for realm)
  • respect the desired regular expression

Then the search by attribute is activated

  • if this search returns a single user, password verification is activated

Installation

Just drop the jar into the /opt/keycloak subdirectory of your Keycloak installation.

For example, you can add this snippet in a Dockerfile

WORKDIR /opt/keycloak

# plugins
ADD --chown=keycloak:keycloak https://repo1.maven.org/maven2/fr/cnieg/keycloak/attribute-login-provider/$PLUGIN_VERSION/attribute-login-provider-$PLUGIN_VERSION.jar providers/attribute-login-provider-$PLUGIN_VERSION.jar

Configuration

Make sure that you have correctly configured an attribute for your users which can be used as an identifier alternative.

Switch to your realm in the keycloak administration console.

Switch to the "Authentication" configuration and copy the original browser flow, giving the copy it a reasonable name, maybe "Browser with Attribute".

Then replace the "Username Password Form" execution by the new "Attribute Username Password Form" execution.

Browser Flow Configuration

Configure this new step with your attribute name and choose a regex which can restrict calls and avoid expensives searches by attribute.

Authenticator Configuration

Having done so you have to select your copy of the browser in the bindings tab for the browser flow.

Keycloak Reset Credential Attribute

Like the Keycloak Login Attribute SPI, AttributeChooseUser adds the possibility for Keycloak to reset credentials via a user attribute.

Configuration

Make sure that you have correctly configured an attribute for your users which can be used as an identifier alternative.

Switch to your realm in the keycloak administration console.

Switch to the "Authentication" configuration and copy the original reset credential flow, giving the copy it a reasonable name, maybe "Reset Credential with Attribute".

Then replace the "Choose User" execution by the new "Attribute Choose User" execution.

Browser Flow Configuration

Configure this new step with your attribute name and choose a regex which can restrict calls and avoid expensives searches by attribute.

Authenticator Configuration

Having done so you have to select your copy of the browser in the bindings tab for the browser flow.

License

See LICENSE file

About

Adds the possibility for Keycloak to connect via a user attribute

Topics

identity module keycloak authentication login attribute-based

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

35 stars

Watchers

3 watching

Forks

6 forks
Report repository

Releases 34

v1.4.11 Latest
Jun 12, 2024
+ 33 releases

Packages

No packages published

Contributors 6

Languages