Custom Policy Provider SPI

I’m trying to extend my Keycloak server (or even Keycloak itself) with a custom authorization policy – any chance someone did a similar thing already?

Basically, I’d like to create a custom policy that a user can create, edit, delete from the admin console, with custom fields, rules, evaluation, etc.

I looked into how e.g. RolePolicyProvider is set up and tried doing the same, by setting up a custom Java SPI with a custom PolicyProvider and PolicyProviderFactory - and I managed to deploy the provider, having Keycloak display it.


But if I try creating it, Keycloak prompts me with an error “Page not found…”

Which I’d expect, as I haven’t defined the fields, form ie. a template yet – but I can’t even find relevant info on how to actually do this.

Are there any docs on how to do this? Has anyone tried doing something similar?

I was faced with the same issue. I created the Policy using the API:

curl --location --request POST 'http://localhost:8080/auth/admin/realms/myrealm/clients/1d7fe657-0184-4449-afe1-44146776c6b9/authz/resource-server/policy' \
--header 'Authorization: Bearer eyJ...' \
--header 'Content-Type: application/json' \
--data-raw '{"name":"My custom policy","type":"myCustomPolicyType"}'

Hi @cristiandmt ,

Could you please share some samples regarding this …?

This is a sample custom policy SPI. It validates only that the username starts with keycloak. GitHub - xjkwak/keycloak-custom-policy-spi: Example about creating a Custom Policy SPI in Keycloak

1 Like