Keycloak Customization to run custom java in authentication flow

Question

Please let me know if this is not the right place to post, but I have been looking all over for information regarding this and can't seem to find a concise answer.

I have been attempting to use keycloak to meet our application's user management requirements. While I have found keycloak to be very capable and quite effective, I have run into what may be a dead end for our usage.

Background:

Traditionally, our application has used a very basic login framework that would verify the authentication. Then using a third party application, that we cannot change , identify the roles that user would have via a wsdl operation and insert into our applications database.

For example, if we verify the user John Doe exists and authenticate his credentials, we call the wsdl in our java code to get what roles that user should have (super user, guest, regular user). Obviously this entire framework is pretty flawed and at the end of the day, this is why weve chosen to use keycloak.

Problem

Unfortunately, as I mentioned we cannot change the third party application, and we must get user role mappings from this wsdl operation. I know there is a way to create/modify keycloak's users and roles via java functions. However, in order to keep this architecture modular is there a way to configure the authentication flow to reach out to this WSDL on keycloaks side for role mapping ? (i.e. not in the application code but maybe in a scriplet in the authentication flow)

What I am looking for is essentially how to configure the authentication flow to run something as simple as "hello world" in java after the credentials are verified but before access is granted.

Not sure if the Authentication SPI could be used

Answer 1

What you need is User Storage SPI. Keycloak documentation provides a good walkthrough implementing a simple file-based user storage provider. Here is the full source code of example project used in docs.

User Storage SPI is very broad, so Keycloak offers 2 approaches to reuse features already present in Keycloak:

1. Have your users in external database and augment it with Keycloak features
2. Store users in Keycloak and import relevant info from external database

There are documented pros and cons of each approach. Using one of above approaches you can implement a tiny provider that uses a remote service only for user-group management.

Answer 2

Yes. You can write custom authenticator using the Authentication SPI. All the steps given for development of Keycloak Authentication SPI works fine except the deployment. For deploying custom SPI, add your jar as module in standalone.xml. To add the newly created SPI, follow below link: First, you need to register your SPI in Keycloak server. Add another SPI in standalone.xml or domain.xml.

<spi name="authenticator_name"> <provider name="authenticator_name" enabled="true"/> </spi>

To register module for Keycloak server, add a module in Keycloak-server subsystem:

<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
  <web-context>auth</web-context>
    <providers>
      <provider>classpath:${jboss.home.dir}/providers/*</provider>
      <provider>module:com.abc</provider>
        .....
        .....
</subsystem>

Once, this changes are made, you need to create a module at com/abc Steps: Build the code.

set KEYCLOAK_HOME=Keycloak Installation folder
%KEYCLOAK_HOME%/bin/jboss-cli.sh --command="module add --name={module_name}  --resources={path to your jar/your jar file name}  --dependencies=org.keycloak.keycloak-core,org.keycloak.keycloak-server-spi,org.keycloak.keycloak-server-spi-private,org.keycloak.keycloak-services,org.jboss.resteasy.resteasy-jaxrs,javax.ws.rs.api,org.keycloak.keycloak-common"

Once SPI module is added in Keycloak server, start Keycloak server and add the execution flow in the Keycloak Admin Console (Authentication).

For more details visit: http://www.keycloak.org/docs/3.0/server_development/topics/providers.html http://www.keycloak.org/docs/3.0/server_development/topics/auth-spi.html