Goal / Context I have a workflow in which information about my users is scattered between my client, Keycloak, and an internal database. Based on a given claim_token, I want to perform a lookup to further enrich identity tokens with custom claims. The workflow is roughly as follows: a request for a token is performed […]

I have a local Keycloak server running with “Standard Authorization Code Flow”.

We’re using keycloak in a OpenId Connect flow and have setup everything fine so far. The only remaining thing I want to do is to manipulate the sub in a certain way: The ID provider sends us a sub, which we map 1:1 to the sub in the token. But now we want to manipulate this sub like

My ultimate goal is to write an authenticator which can check if a user’s identity provider login used MFA or not and I’m trying to achieve this by writing a script which view the claim values from the user, such as the acr claim value.

I am new to Keycloak and I have a task to integrate it into our web applications in order to add authentication using the built in Keycloak login page.

I am having issues while authenticating 2 clients of same realm of keycloak within a project. I have a scenario where for a particular route there should be a longer token life span to avoid frequent logout. To manage such requirement I decided to have a separate client that would have a different session and token life spans. But every time i try to authenticate my second client after already being authenticated in my first client i gets logged out and gets a new login request page to login again. Before integrating such changes direct into my project. I also configured and tested this into a local project there I was able to authenticate 2 clients of same realm and there i didnt face any such issues.

I would like that only users who already have a Keycloak account with the same e-mail address (user name) can log in via the idp.
Keycloak already has documentation here on how the authentication flow should look. Unfortunately, this does not work for me.
I have activated the “Login with email” option in the realm settings and all users in Keycloak have an email as their username.
It’s about Openid connect with Microsoft Azure.

I have an application where we’re implementing Keycloak for authentication. We’re integrating with an external IdP (Azure) via Oidc.