Keycloak adding new authenticator

Question

I'd like to add a new auth method in keycloak. To be precise - I'd like the keycloak to ask external API for some specific value. I have read about flows in keycloak but they seem to be poorly documented and I have a feeling that it is not very intuitive.

During login I would like the keycloak to send request to external API and if and only if when specific value is returned allow the user to login. For example I could override some login method and add a few lines of code doing what I want.

Which method in which class is responsible for login?

Answer 1

There are multiple things you need to do to achieve that. I will go over them:

1. Implement Authenticator and AuthenticatorFactory interfaces.
2. Copy an existing Authentication Flow
3. Bind flow

I assume you know how to write and deploy a keycloak extension.

1. Implement Authenticator and AuthenticatorFactory interfaces.

The specific interfaces are those:

org.keycloak.authentication.AuthenticatorFactory
org.keycloak.authentication.Authenticator

A sample implementation:

org.keycloak.authentication.authenticators.browser.UsernamePasswordFormFactory
org.keycloak.authentication.authenticators.browser.UsernamePasswordForm

If you want to externalize your config (So you can add username/password etc. for external api), override getConfigProperties() method in AuthenticatorFactory

2. Copy an existing Authentication Flow.

1. Login keycloak with admin credentials.
2. Create a new realm (or use if you have one)
3. Go to Authentication tab on left.
4. Copy browser login flow
5. Add your flows/executions (Your implementation of Authenticator/Factory will be listed under executions) You can move them up or down. Make them required or alternative etc.
6. If you override config list it will be shown next to your execution

3. Bind flow.

Bind your flow in the second tab of Authentication page.