cnieg / keycloak-login-attribute Goto Github PK

View Code? Open in Web Editor NEW

35.0 3.0 6.0 421 KB

Adds the possibility for Keycloak to connect via a user attribute

License: Apache License 2.0

Java 80.07% Batchfile 19.93%

authentication keycloak login attribute-based module identity

keycloak-login-attribute's Introduction

Keycloak Login Attribute SPI

An Authentication Service Provider that adds the possibility for Keycloak to connect via a user attribute.

Use Case

If the username entered in the form

does not match a primary identifier
does not match email (if this option is enabled for realm)
respect the desired regular expression

Then the search by attribute is activated

if this search returns a single user, password verification is activated

Installation

Just drop the jar into the /opt/keycloak subdirectory of your Keycloak installation.

For example, you can add this snippet in a Dockerfile

WORKDIR /opt/keycloak

# plugins
ADD --chown=keycloak:keycloak https://repo1.maven.org/maven2/fr/cnieg/keycloak/attribute-login-provider/$PLUGIN_VERSION/attribute-login-provider-$PLUGIN_VERSION.jar providers/attribute-login-provider-$PLUGIN_VERSION.jar

Configuration

Make sure that you have correctly configured an attribute for your users which can be used as an identifier alternative.

Switch to your realm in the keycloak administration console.

Switch to the "Authentication" configuration and copy the original browser flow, giving the copy it a reasonable name, maybe "Browser with Attribute".

Then replace the "Username Password Form" execution by the new "Attribute Username Password Form" execution.

Configure this new step with your attribute name and choose a regex which can restrict calls and avoid expensives searches by attribute.

Having done so you have to select your copy of the browser in the bindings tab for the browser flow.

Keycloak Reset Credential Attribute

Like the Keycloak Login Attribute SPI, AttributeChooseUser adds the possibility for Keycloak to reset credentials via a user attribute.

Configuration

Make sure that you have correctly configured an attribute for your users which can be used as an identifier alternative.

Switch to your realm in the keycloak administration console.

Switch to the "Authentication" configuration and copy the original reset credential flow, giving the copy it a reasonable name, maybe "Reset Credential with Attribute".

Then replace the "Choose User" execution by the new "Attribute Choose User" execution.

Configure this new step with your attribute name and choose a regex which can restrict calls and avoid expensives searches by attribute.

Having done so you have to select your copy of the browser in the bindings tab for the browser flow.

License

See LICENSE file

keycloak-login-attribute's People

Contributors

Stargazers

Watchers

Forkers

zhenyangze solarisyan kirinse ergoz luojiakickoff edagdeviren

keycloak-login-attribute's Issues

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Location: renovate.json
Error type: Invalid JSON (parsing failed)
Message: Syntax error: expecting String near ],
{
"

No temporary blocking of the account if attempting to connect via attribute

After X attempts the user account must be temporarily blocked.

it's ok if the identifier is the official username
it's ko if the identifier is the attribute

The automated release is failing 🚨

🚨 The automated release from the `master` branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you can benefit from your bug fixes and new features again.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can fix this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here are some links that can help you:

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Unfortunately this error doesn't have any additional information. Feel free to kindly ask the author of the @semantic-release/exec plugin to add more helpful information.

Good luck with your project ✨

Your semantic-release bot 📦🚀

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

github-actions

.github/workflows/ci.yml

actions/checkout v4

actions/setup-java v4.2.2

actions/cache v4.0.2

s4u/maven-settings-action v3.0.0

cycjimmy/semantic-release-action v3

cycjimmy/semantic-release-action v3

maven

pom.xml

org.keycloak:keycloak-server-spi 25.0.2

org.keycloak:keycloak-server-spi-private 25.0.2

org.keycloak:keycloak-services 25.0.2

com.github.dasniko:testcontainers-keycloak 3.4.0

org.testcontainers:junit-jupiter 1.20.1

org.junit.jupiter:junit-jupiter-api 5.11.0

org.slf4j:slf4j-simple 2.0.16

com.microsoft.playwright:playwright 1.46.0

org.apache.maven.plugins:maven-compiler-plugin 3.13.0

org.codehaus.mojo:flatten-maven-plugin 1.6.0

org.sonatype.plugins:nexus-staging-maven-plugin 1.7.0

org.apache.maven.plugins:maven-source-plugin 3.3.1

org.apache.maven.plugins:maven-javadoc-plugin 3.8.0

org.apache.maven.plugins:maven-gpg-plugin 3.2.5

org.apache.maven.plugins:maven-enforcer-plugin 3.5.0

maven-wrapper

.mvn/wrapper/maven-wrapper.properties

maven 3.9.9

Check this box to trigger a request for Renovate to run again on this repository

Login without login page

Hey!

Is it possible to use your plugin to login without using the login page.
For example, I enter into the browser line:
http: // address: port / auth / realms / REALMNAME / ...? Attribute = 1234
And keycloak redirects me to a secured app
Is this a possible solution? Or it is necessary to make POST requests. If so, is it possible to exchange the attribute for an access token?
I would be glad to have any help. Thanks.

how to download jar file from this github?

The automated release is failing 🚨

🚨 The automated release from the `master` branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you could benefit from your bug fixes and new features.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can resolve this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

If you are not sure how to resolve this, here is some links that can help you:

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Deployment to maven failed.

The deployment to maven failed for an unknown reason.

Please check the logs on the CI server to see what happened.

Good luck with your project ✨

Your semantic-release bot 📦🚀

Java Runtime for keycloak modules should be java 11 compliant

Authenticator is not visible in Keycloak

I've added jar with keycloak-login-attribute to my keycloak (/opt/keycloak/providers but also tried different locations). In my logs I see:

keycloak  | 2023-11-07 21:10:21,686 WARN  [org.keycloak.services] (build-17) KC-SERVICES0047: attribute-username-password-form (fr.cnieg.keycloak.providers.login.attribute.authenticator.AttributeUsernamePasswordFormFactory) is implementing the internal SPI authenticator. This SPI is internal and may change without notice

I don't see any other error in logs.

When I try to add new step in the duplicated browser flow, I cannot see Attribute Username Password Form

Only login/attribute form

Hello! Can you add only login/attribute form, without password? It possibility needs for webauthn passwordless

cnieg / keycloak-login-attribute Goto Github PK

keycloak-login-attribute's Introduction

Keycloak Login Attribute SPI

Use Case

Installation

Configuration

Keycloak Reset Credential Attribute

Configuration

License

keycloak-login-attribute's People

Contributors

Stargazers

Watchers

Forkers

keycloak-login-attribute's Issues

🚨 The automated release from the master branch failed. 🚨

Detected dependencies

🚨 The automated release from the master branch failed. 🚨

Deployment to maven failed.

Recommend Projects

Recommend Topics

Recommend Org

🚨 The automated release from the `master` branch failed. 🚨

🚨 The automated release from the `master` branch failed. 🚨