Akeyless provides an additional way of user authentication in Keycloak Identity Platform using signed JWT tokens.
Users that have a valid JWT token issued by Akeyless, which includes their email address, can use this token to authenticate in Keycloak platform instead of using their username/password.
Download the latest version of the plugin from:
Or use the following Maven dependency definition:
<dependency> <groupId>io.akeyless</groupId> <artifactId>akeyless-keycloak</artifactId> <version>Specify the plugin version here</version> <scope>compile</scope> </dependency>
In order to deploy this plugin into a Keycloak environment copy the
akeyless-keycloak-<version>-jar-with-dependencies.jar into your Keycloak
Verify your deployment in Keycloak logs:
x[org.jboss.as.repository] (DeploymentScanner-threads - 1) WFLYDR0001: Content added at location /opt/bitnami/keycloak/standalone/data/content/4d/ab9072c416eabb61fe0aa72f94bbc44acb1110/content [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0027: Starting deployment of "akeyless-keycloak-jar-with-dependencies.jar" (runtime-name: "akeyless-keycloak-jar-with-dependencies.jar" [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] (MSC service thread 1-2) Deploying Keycloak provider: akeyless-keycloak-jar-with-dependencies.jar [org.keycloak.services] (MSC service thread 1-2) KC-SERVICES0047: akeyless-authenticator (io.akeyless.AkeylessAuthenticatorFactory) is implementing the internal SPI authenticator. This SPI is internal and may change without notice [org.jboss.as.server] (DeploymentScanner-threads - 1) WFLYSRV0010: Deployed "akeyless-keycloak-jar-with-dependencies.jar" (runtime-name : "akeyless-keycloak-jar-with-dependencies.jar")
When working with ephemeral containers
deploymentsfolder should be mounted using persistent volumes.
After successful deployment, Keycloak administrator must configure the browser authentication flow to use Akeyless Authenticator as an alternative to other authentication methods.
Navigate to "Authentication", Select "Browser" in the combo-box, and click "Copy":
Name the flow as “Akeyless Browser” and click “Save”.
Click "Add execution", select "Akeyless" from the combo-box and save:
Move "Akeyless" up and mark it as "Alternative" instead of "Disabled":
On "Bindings" tab, select "Akeyless Browser" in the combo-box next to "Browser Flow" label. Click "Save":
Akeyless Keycloak Authenticator uses JWT tokens signed by Akeyless to establish user identity.
Tokens used by Akeyless Authenticator must include user’s email address.
The token can be extracted via SAML authentication, and then retrieving the token from temporary credentials file:
$ akeyless auth --access-type saml --access-id <saml-access-id> Authentication succeeded. Token: <some-random-string> $ cat ~/.akeyless/.tmp_creds/<same-random-string-as-above> | jq .uam_creds -r <JWT Token value>
This JWT token value should be used in Keycloak.
Initiate SAML authentication using your Keycloak deployment, and instead of using username/password on Keycloak login page, modify the URL by adding
&creds=<jwt token value> parameter, and hit “Enter”.
If the provided JWT token is valid, and include an email address of an existing Keycloak user, that user will be authenticated successfully, and the user will be redirected to the final address.
Updated 4 months ago