The extension can be used in Keycloak authentication flows and allows calling an external service via HTTP. A typical use case is when user authentication requires not only login and passwords, but also confirmation from an external service. For example, an external service sends a push notification and checks the response to it.
You have an authentication flow consisting of the following steps:
- User validation
- Password
- External HTTP Authentication (this extension) where "External HTTP service URL" set to "https://my-service/auth"
In step 3, the extension send structured JSON payload about the user to https://my-service/auth and waits for the service to respond with a decision (allow or deny).
- Java 17 or higher
- Keycloak 26.1.5 or a compatible version
- Maven for building the project
- Build the extension
mvn clean package
- Put the generated JAR to Keycloak's providers directory:
cp target/*.jar /path/to/keycloak/providers/
- Restart Keycloak
- Create or select an authentication flow.
- Add an
External HTTP Authenticationstep. - Set the
External service URLsetting and other parameters.
External HTTP service URL- URL of your service to which the POST request will be sentExternal HTTP service call timeout (in ms)- request timeout
The extension sends a POST request with a JSON payload:
{
'roles': ['role1', 'role2', ...],
'attributes': {'myattribute': 'somevalue', 'username': 'user1', ...},
'groups': ['group1', 'group2', ...]
}
The external service should respond:
- status code 200 to allow
- status code 401,403 to deny