Hey there,
I am currently using the “–features=upload-scripts” option which was removed in Keycloak 18. Now I am trying to migrate my uploaded script for role based authentication to a custom jar but fail so far. I want to add a custom JS authenticator which I want to select under Configure > Authentication > Flow (maybe this is already the wrong idea here?). Then, e.g. by selecting the browser flow and clicking on Actions > Add exection, I expect to be able to select my custom authentication provider with name “My Role Based Authenticator” but cannot find it in the drop down list by its name.
The output of kc.sh show-config gives me the following from which I assume, that adding the custom jar actually worked.
Current Mode: none
Runtime Configuration:
kc.cache = ispn (PersistedConfigSource)
kc.config.args = show-config (SysPropConfigSource)
kc.db = dev-file (PersistedConfigSource)
kc.db.password = xx (EnvConfigSource)
kc.db.url = jdbc:postgresql://keycloak-postgres:5432/keycloak?ssl=allow (EnvConfigSource)
kc.db.username = xx (EnvConfigSource)
kc.home.dir = /opt/keycloak/bin/../ (SysPropConfigSource)
kc.hostname = xx (EnvConfigSource)
kc.hostname.strict = false (EnvConfigSource)
kc.http-enabled = true (EnvConfigSource)
kc.http-relative-path = / (PersistedConfigSource)
kc.metrics-enabled = false (PersistedConfigSource)
kc.provider.file.my-role-based-authenticator.jar.last-modified = 1651603921724 (PersistedConfigSource)
kc.proxy = edge (EnvConfigSource)
kc.quarkus-properties-enabled = false (PersistedConfigSource)
kc.show.config = none (SysPropConfigSource)
kc.version = 17.0.1 (SysPropConfigSource)
Here is what I did / my setting:
Docker Compose
I am running keycloak in docker behind a nginx and with Postgres DB. These are the lines of my compose file regarding keycloak:
keycloak:
container_name: keycloak
image: quay.io/keycloak/keycloak:17.0
restart: always
command: "start --auto-build --db=postgres --features=upload-scripts"
volumes:
- ${PATH_DOCKERCOMPOSE}/keycloak/customproviders:/opt/keycloak/providers
environment:
TZ: Europe/Berlin
KEYCLOAK_ADMIN: xx
KEYCLOAK_ADMIN_PASSWORD: xx
# change these values to point to a running postgres instance
KC_DB_URL: "jdbc:postgresql://keycloak-postgres:5432/keycloak?ssl=allow"
KC_DB_USERNAME: xx
KC_DB_PASSWORD: xx
KC_HOSTNAME: xx
KC_HOSTNAME_STRICT: "false"
KC_HTTP_ENABLED: "true"
KC_PROXY: edge
Custom JAR
I ziped the following files into a jar, called “my-role-based-authenticator.jar” and placed this jar via docker volumes to opt/keycloak/providers inside the keycload docker container.
File with name “keycloak-scripts.json” in folder with name “META-INF” inside the jar:
{
"authenticators": [
{
"name": "My Role Based Authenticator",
"fileName": "my-role-based-authenticator.js",
"description": "My role based Authenticator from a JS file"
}
]
}
File with name “my-role-based-authenticator.js” at root level of jar
FormMessage = Java.type('org.keycloak.models.utils.FormMessage');
function authenticate(context) {
var username = user ? user.username : "anonymous";
LOG.info(script.name + " trace auth for: " + username);
var client = session.getContext().getClient();
var roleModel = client.getRole("access");
if (!user.hasRole(roleModel)) {
context.forkWithErrorMessage(new FormMessage('label', 'User is not allowed to access this client.'));
return;
}
context.success();
}
now I just use standard executions for the RBAC. Thanks anyway!