A custom Keycloak authenticator that restricts user access to specific clients based on user attributes.
This SPI allows you to control which Keycloak clients a user can access based on a multi-valued attribute stored in their user profile.
-
Build the JAR:
mvn clean package
-
Deploy to Keycloak:
docker cp target/*-jar-with-dependencies.jar keycloak:/opt/keycloak/providers/ docker restart keycloak -
Setup:
- Add "website" attribute to users with client IDs as values
- Add the authenticator to your authentication flow
- Set authenticator to "REQUIRED" after user authentication
- Bind the flow to clients you want to protect
The authenticator checks if the client ID is in the user's "website" attribute. If not, access is denied.
For detailed documentation and implementation details, see the full article: Implementing Custom Client Access Control in Keycloak