Implementation of custom authentication in keycloak

Question

I'm trying to implement custom auth flow in Keycloak. It should work similar to username&password flow (POST /openid-connect/token with params 'username'+'password'+'grant_type=password' -> response with access_token & refresh_token) but instead of username and password it will receive another fields (e.g. fieldA, filedB and hash)

I wrote an implementation of

org.keycloak.authentication.Authenticator

that does this auth, but I can't figure out what should I do next. How can I make keycloak validate user using this flow?

Answer 1

So If I understand you correctly: U have a custom implementation of the Authenticator interface, to register it in keyckoak you also need AuthenticatorFactory - implementation and add the path to it into the config file with the name: org.keycloak.authentication.AuthenticatorFactory. So you should have something like:

    public class CustomAuthenticator implements Authenticator {
    
    
    @Override
    public void authenticate(AuthenticationFlowContext context) {
        //todo make your auth validation check logic
        String username = "admin";
        UserModel user = context.getSession().users().getUserByUsername(username, context.getRealm());
        context.setUser(user);
        context.success(); // With context.success(), or failing with an error, you can manage your custom validation
    }
}


public class CustomAuthenticatorFactory implements AuthenticatorFactory {
    
    public static final String PROVIDER_ID = "custom-sso";
    
    private static CustomAuthenticator SINGLETON = new CustomAuthenticator();

    @Override
    public String getDisplayType() {
        return "custom sso";
    }

    @Override
    public AuthenticationExecutionModel.Requirement[] getRequirementChoices() {
        return REQUIREMENT_CHOICES;
    }
    
    @Override
    public Authenticator create(KeycloakSession session) {
        return SINGLETON;
    }
    
    @Override
    public String getId() {
        return PROVIDER_ID;
    }
}

And also in file with path: src\main\resources\META-INF\services\org.keycloak.authentication.AuthenticatorFactory need to add a path to the factory class.

After all these changes, you should be able to change your authentication flow from keyclaok admin page.

P.S. you cant change existed Browser flow, but you can copy it, change the copy and then bind the browser flow to your custom.

P.S.S.

I found almost the same question: Keycloak adding new authenticator

But with a better-described answer :-)