Trouble getting custom authentication script deployed

Hey there,

I am currently using the “–features=upload-scripts” option which was removed in Keycloak 18. Now I am trying to migrate my uploaded script for role based authentication to a custom jar but fail so far. I want to add a custom JS authenticator which I want to select under Configure > Authentication > Flow (maybe this is already the wrong idea here?). Then, e.g. by selecting the browser flow and clicking on Actions > Add exection, I expect to be able to select my custom authentication provider with name “My Role Based Authenticator” but cannot find it in the drop down list by its name.

The output of kc.sh show-config gives me the following from which I assume, that adding the custom jar actually worked.

Current Mode: none
Runtime Configuration:
	kc.cache =  ispn (PersistedConfigSource)
	kc.config.args =  show-config (SysPropConfigSource)
	kc.db =  dev-file (PersistedConfigSource)
	kc.db.password =  xx (EnvConfigSource)
	kc.db.url =  jdbc:postgresql://keycloak-postgres:5432/keycloak?ssl=allow (EnvConfigSource)
	kc.db.username =  xx (EnvConfigSource)
	kc.home.dir =  /opt/keycloak/bin/../ (SysPropConfigSource)
	kc.hostname =  xx (EnvConfigSource)
	kc.hostname.strict =  false (EnvConfigSource)
	kc.http-enabled =  true (EnvConfigSource)
	kc.http-relative-path =  / (PersistedConfigSource)
	kc.metrics-enabled =  false (PersistedConfigSource)
	kc.provider.file.my-role-based-authenticator.jar.last-modified =  1651603921724 (PersistedConfigSource)
	kc.proxy =  edge (EnvConfigSource)
	kc.quarkus-properties-enabled =  false (PersistedConfigSource)
	kc.show.config =  none (SysPropConfigSource)
	kc.version =  17.0.1 (SysPropConfigSource)

Here is what I did / my setting:

Docker Compose

I am running keycloak in docker behind a nginx and with Postgres DB. These are the lines of my compose file regarding keycloak:

keycloak:
    container_name: keycloak
    image: quay.io/keycloak/keycloak:17.0
    restart: always
    command: "start --auto-build --db=postgres --features=upload-scripts"
    volumes:
      - ${PATH_DOCKERCOMPOSE}/keycloak/customproviders:/opt/keycloak/providers
    environment:
      TZ: Europe/Berlin
      KEYCLOAK_ADMIN: xx
      KEYCLOAK_ADMIN_PASSWORD: xx
# change these values to point to a running postgres instance
      KC_DB_URL: "jdbc:postgresql://keycloak-postgres:5432/keycloak?ssl=allow"
      KC_DB_USERNAME: xx
      KC_DB_PASSWORD: xx
      KC_HOSTNAME: xx
      KC_HOSTNAME_STRICT: "false"
      KC_HTTP_ENABLED: "true"
      KC_PROXY: edge

Custom JAR

I ziped the following files into a jar, called “my-role-based-authenticator.jar” and placed this jar via docker volumes to opt/keycloak/providers inside the keycload docker container.

File with name “keycloak-scripts.json” in folder with name “META-INF” inside the jar:

{
    "authenticators": [
        {
            "name": "My Role Based Authenticator",
            "fileName": "my-role-based-authenticator.js",
            "description": "My role based Authenticator from a JS file"
        }
    ]
}

File with name “my-role-based-authenticator.js” at root level of jar

FormMessage = Java.type('org.keycloak.models.utils.FormMessage');

function authenticate(context) {

    var username = user ? user.username : "anonymous";
    LOG.info(script.name + " trace auth for: " + username);

    var client = session.getContext().getClient();

    var roleModel = client.getRole("access");

    if (!user.hasRole(roleModel)) {

        context.forkWithErrorMessage(new FormMessage('label', 'User is not allowed to access this client.'));
        return;
    }

    context.success();
}

The scripts feature has to be enabled:

--features=scripts

(without the “upload-”)

… mh thanks! Sadly, this did not finally did the trick. I still can not see my custom script. I removed the old “uploaded” script execution before switching the the build config.

Hmm… Sorry, I am still on the Wildfly version where

-Dkeycloak.profile.feature.scripts=enabled

works for token mappers and authenticators, but I do not have spaces in the scripts’ names, maybe that’s the significant difference… Do you have something helpful in the logs? Java Version is 11?

I tinkered around for a while now and solved the issue by getting rid of the script :slight_smile: now I just use standard executions for the RBAC. Thanks anyway!

Well I hope script mappers and authenticators are still supported in Quarkus-based distribution…

hey @mm28ajos , can you share with us how u set the standard executions to block the login into a client who does not have some client’s role, pls? I’m in the same problem and not using custom scripts will be very nice for our keycloak’s reability :slight_smile:
thanks!!

Hey team,
I created a custom policy jar and placed it under /providers but still I dont see my provider under Policies. Also, my provider name is not anywhere in logs so I think its not getting loaded. Can you help how to load it ?