This Keycloak authenticator extension allows administrators to restrict user access to specific clients based on roles or policies. It is designed for Keycloak administrators and security engineers who need fine-grained control over client authentication beyond Keycloak's default capabilities. The primary benefit is enhanced security by ensuring only authorized users can access designated clients.

How It Works

The authenticator operates in two modes: role-based and policy-based. In role-based mode, it checks for a specific client role (defaulting to restricted-access) assigned to the user. If the user possesses this role, authentication proceeds; otherwise, it fails. In policy-based mode, intended for confidential OIDC clients with authorization enabled, it evaluates Keycloak's resource and policy configurations. Access is granted only if policies permit it, offering a more dynamic and granular control mechanism.

Quick Start & Requirements

• Installation: Download the .jar release compatible with your Keycloak version and place it in the Keycloak providers directory. For Docker, mount or copy the JAR to /opt/keycloak/providers.
• Prerequisites: Keycloak server.
• Configuration: Requires creating a custom authentication flow, adding the "Restrict user authentication on clients" authenticator, and configuring it for either role-based or policy-based access. Detailed configuration steps and examples are provided in the README.

Highlighted Details

• Supports both role-based (using client roles) and policy-based (using Keycloak resources, permissions, and policies) access control.
• Offers customization for the role name used in role-based mode.
• Includes a workaround for Identity Provider redirects by configuring post-login flows.
• Provides a client policy condition (restrict-client-auth-enabled) and executor (restrict-client-auth-auto-config) for integration with Keycloak's client policy system.

Maintenance & Community

The project is maintained by sventorben. The README does not explicitly mention community channels like Discord or Slack, nor does it detail a roadmap or specific partnerships.

Licensing & Compatibility

The README does not explicitly state a license. Compatibility is generally good across Keycloak versions due to SPI stability, but specific versions are compiled against particular Keycloak releases. Users are advised to check compatibility tests or fork for older versions.

Limitations & Caveats

This extension is not a Policy Enforcement Point (PEP); clients must validate audience claims. Proper configuration across all authentication flows, including those involving Identity Provider redirects, is crucial to prevent bypasses. The client policy integration is currently in preview.