Additional Conditional Keycloak Authenticator modules to be used in the authentication flow
When it comes to conditional authentication in a keycloak authentication flow, there are very little options available. Beginning with Keycloak 10, support for conditional flow executions have been added, that allow a much more flexible way to define conditions for existing authentication modules. Multiple Condition Modules can now be combined together in a sub-flow to define a logical AND condition. Unfortunately, there are not very many of those modules available (at least up to Keycloak 11) to get a useful scenario out of that.
This project shall serve as a container for additional Conditional Modules. Currently contained:
- ConditionalHeaderAuthenticator: Matches the request HTTP headers against a given expression
To build the JAR module, invoke
mvn packageThis will download all required dependencies and build the JAR in the target directory.
- Create a new directory
providersin your Keycloak installation dir (if not already existing). - Restart keycloak
All authenticators provided by this module are then available in the authentication flow configuration.
A requirement (which actually led to development of this module) was to perform a somewhat more complex - but actually quite common - conditional OTP authentication. That is: A user shall be required to perform a multi-factor authentication (password + OTP), when he is a privileged user (= has particular keycloak role) and is located externally (= has foreign IP address).
There is already a "Conditional OTP Form" available in keycloak, but it fails on the required AND-condition. Since Keycloak 10, the authentication flow is now capable of combining multiple conditional authenticators to trigger the requirement of a particular authentication module. However, there is simply no conditional module available to match the request headers. This is where this module(s) come into play.
With that, the final authentication sub-flow for performing the conditional password + OTP authentication looks like this:
- Sub-Flow: "Conditional OTP Flow" (Type: Flow; Requirement: Conditional)
- Execution: "Condition - User Configured" (Type: Authenticator.Conditional; Requirement: Required)
- Execution: "Condition - User Role" (Type: Authenticator.Conditional; Requirement: Required; Configuration: User Role = xyz)
- Execution: "Condition - Request Headers" (Type: Authenticator.Conditional; Requirement: Required; Configuration: )
- Execution: "OTP Form" (Type: Authenticator; Requirement: Required)
Configuration for "Condition - User Role":
- User Role = xyz
Configuration for "Condition - Request Headers":
- Required Header Expression = X-Forwarded-For: (10.8.|192.168.)
- Expression Inversion = True
- 1.0
- Initial release.
- Added ConditionalHeaderAuthenticator
- Fork it (https://github.com/jdelker/keycloak-conditional-authenticator/fork)
- Create your feature branch (
git checkout -b feature/fooBar) - Commit your changes (
git commit -am 'Add some fooBar') - Push to the branch (
git push origin feature/fooBar) - Create a new Pull Request