How to create a blacklist email domain?


I don’t want users to use some specific email domains to registered.
Eg, reject all registration from or
I’m not able to find a way to achieve that.

Do you have any clue ?



There is no built-in functionality to do that.

You can override the registration flow with your own implementation of RegistrationProfile (keycloak/ at master · keycloak/keycloak · GitHub) and check there for your blacklisted domains.

In the Keycloak 14 release, they added a declarative user profile (Server Administration Guide) which allows you to create validators for each field. I have not yet seen documentation on how to build these validators, so maybe one of the maintainers can chime in here. However, according to the documentation, you should be able to build a validator and then associate it with a field.

1 Like

Thanks for your advice

Following up, there was just a post on the mailing list from one of the maintainers who pointed to an example validator: keycloak/ at 14.0.0 · keycloak/keycloak · GitHub

Looks like there are other examples of built-in validators in the same dir: keycloak/server-spi-private/src/main/java/org/keycloak/validate/validators at 14.0.0 · keycloak/keycloak · GitHub

I haven’t tried yet, but you probably need to implement org.keycloak.validate.ValidatorFactory and org.keycloak.validate.Validator and put the class name in META-INF/services/org.keycloak.validate.ValidatorFactory. The doValidate method is the only thing that needs your custom logic to blacklist domains.

1 Like

Hey. It’s an old question, but I think it may help someone else. Another option is to update the authentication flow to add a validation based on a user attribute (e.g., email). However, it seems it needs to be created first in the flow, and only after that it’ll be possible to validate its attribute. Not sure if it’s possible to use another condition in this case.

Reference: Server Administration Guide