Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/cnieg/keycloak-login-attribute
Adds the possibility for Keycloak to connect via a user attribute
https://github.com/cnieg/keycloak-login-attribute
attribute-based authentication identity keycloak login module
Last synced: about 1 month ago
JSON representation
Adds the possibility for Keycloak to connect via a user attribute
- Host: GitHub
- URL: https://github.com/cnieg/keycloak-login-attribute
- Owner: cnieg
- License: apache-2.0
- Created: 2020-03-25T09:46:05.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2024-04-12T20:45:42.000Z (3 months ago)
- Last Synced: 2024-04-13T04:07:07.418Z (3 months ago)
- Topics: attribute-based, authentication, identity, keycloak, login, module
- Language: Java
- Size: 373 KB
- Stars: 27
- Watchers: 3
- Forks: 6
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Lists
- awesome-keycloak - Keycloak Login with User Attribute
README
![CI](https://github.com/cnieg/keycloak-login-attribute/workflows/CI/badge.svg)
[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg)](https://github.com/semantic-release/semantic-release)
[![License](https://img.shields.io/:license-Apache2-blue.svg)](http://www.apache.org/licenses/LICENSE-2.0)# Keycloak Login Attribute SPI
An [Authentication Service Provider](https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi) that adds the possibility for [Keycloak](https://www.keycloak.org) to connect via a user attribute.
## Use Case
If the username entered in the form
* does not match a primary identifier
* does not match email (if this option is enabled for realm)
* respect the desired regular expressionThen the search by attribute is activated
* if this search returns a single user, password verification is activated## Installation
Just drop the jar into the _/opt/keycloak_ subdirectory of your Keycloak installation.
For example, you can add this snippet in a Dockerfile
```dockerfile
WORKDIR /opt/keycloak# plugins
ADD --chown=keycloak:keycloak https://repo1.maven.org/maven2/fr/cnieg/keycloak/attribute-login-provider/$PLUGIN_VERSION/attribute-login-provider-$PLUGIN_VERSION.jar providers/attribute-login-provider-$PLUGIN_VERSION.jar
```
## ConfigurationMake sure that you have correctly configured an attribute for your users which can be used as an identifier alternative.
Switch to your realm in the keycloak administration console.
Switch to the "Authentication" configuration and copy the original browser flow,
giving the copy it a reasonable name,
maybe "Browser with Attribute".Then replace the "Username Password Form" execution by the new "Attribute Username Password Form" execution.
![Browser Flow Configuration](browser_flow_config.png "Browser Flow Configuration")
Configure this new step with your attribute name and choose a regex which can restrict calls and avoid expensives searches by attribute.
![Authenticator Configuration](authenticator_config.png "Authenticator Configuration")
Having done so you have to select your copy of the browser in the bindings tab for the browser flow.
# Keycloak Reset Credential Attribute
Like the Keycloak Login Attribute SPI, AttributeChooseUser adds the possibility for [Keycloak](https://www.keycloak.org) to reset credentials via a user attribute.
## Configuration
Make sure that you have correctly configured an attribute for your users which can be used as an identifier alternative.
Switch to your realm in the keycloak administration console.
Switch to the "Authentication" configuration and copy the original reset credential flow, giving the copy it a reasonable name, maybe "Reset Credential with Attribute".
Then replace the "Choose User" execution by the new "Attribute Choose User" execution.
![Browser Flow Configuration](reset_credentials_flow_config.png "Reset Credentials Flow Configuration")
Configure this new step with your attribute name and choose a regex which can restrict calls and avoid expensives searches by attribute.
![Authenticator Configuration](authenticator_config.png "Authenticator Configuration")
Having done so you have to select your copy of the browser in the bindings tab for the browser flow.
## License
See [LICENSE file](./LICENSE)