Custom Unique Validator Comparing Against Other User Data

Hello. I am trying to find how to create a custom uniqueness validator that can compare it’s own value or a combination of its own and another field against other user data.

What we are trying to accomplish is something like the uniqueness check built into Keycloak for the username or email as username field. But in this case we would like to ensure a user cannot sign up or change custom fields which already exists in our User database.

Is it possible to reach into the user database for checks like this on a custom validator?

I see examples of creating custom validators but these seem to only be checking the current input value against rules and not against already entered values by the user or users in general.
References:

You have access to the KeycloakSession from the ValidationContext.getSession() method. From there, you can access stored data using the providers. E.g. you can get access to users with validationContext.getSession().users().

Hey @xgp. Ok so I see that now and I have followed the example of something like this: keycloak-extension-playground/AgeValidator.java at master · thomasdarimont/keycloak-extension-playground · GitHub

Once I have a Validator like this written and I build to a JAR how does one deploy this validator to Keycloak? Is there documentation somewhere that I missed?

Thank you ahead of time.

Put it in the providers/ dir and start the server.

That is what I thought and I tried that. It shows that it loads up the custom SPIs but I don’t see them as an option in the Realm settings → User profile → Edit attribute → Add Validator drop down for attribute.

Log on start up:

2023-02-17 13:11:05 2023-02-17 21:11:05,156 WARN  [org.keycloak.services] (build-26) KC-SERVICES0047: custom-phone-dob (com.github.thomasdarimont.keycloak.userprofile.validator.DOBPhoneValidator) is implementing the internal SPI validator. This SPI is internal and may change without notice
2023-02-17 13:11:05 2023-02-17 21:11:05,156 WARN  [org.keycloak.services] (build-26) KC-SERVICES0047: custom-age (com.github.thomasdarimont.keycloak.userprofile.validator.AgeValidator) is implementing the internal SPI validator. This SPI is internal and may change without notice

I have created the DOBPhoneValidator from scratch and also tried the AgeValidator taken from the Keycloak Extension Playground Github Repo.

Screenshot 2023-02-17 at 13-13-41 Keycloak Administration Console1128×1822 196 KB

Screen Shot 2023-02-17 at 10.50.58 AM3144×66 20.4 KB

The log on startup you can ignore. As to why it’s not there, I would suggest asking Thomas. I think others have had this problem before (e.g. How to deploy a custom validator for a custom user attribute within declarative user profile?)

Yeah I saw that post but no one else responded to the OP.

@thomasdarimont any ideas?

I also had this problem with the custom validator not being present in the UI. But try adding it manually via the JSON Editor, you will notice that it is working correctly.

@atemelko Wow yes adding it manually now has it going into the custom validator code. Seems like this is something that should be fixed by Keycloak.

Without asking a question here I’m sure some people would not have figured that out. Thank you!

I think you should also implement ConfiguredProvider so that it has a description

Yes implementing ConfiguredProvider works. Thank you @edewit

For future readers you just need to implement ConfiguredProvider and both methods getHelpText() and getConfigProperties().

Get Help Text will provide the description of the validator and Get Config Properties allows setting up the modal and information for passed in properties. It is helpful to look into Keycloak’s source code for examples such as PersonNameProhibitedCharactersValidator.java.