Skip to content

Mirrored from https://rechenknecht.net/giz/keycloak/expire-user-accounts A Keycloak authenticator that denies access to users whose account expiration date has passed.

License

Notifications You must be signed in to change notification settings

giz-berlin/keycloak-expire-user-accounts

Repository files navigation

Keycloak Expire User Accounts

pipeline status

This provider allows you to set an individual expiration date for user accounts. Once that date has passed, users are no longer able to log in and disabled in Keycloak.

Installation

Place the generated jar-file into the Keycloak deployments folder. In the Keycloak Wildfly distribution it is located at /opt/jboss/keycloak/standalone/deployments, while in the Quarkus distribution it is located at /opt/keycloak/providers.

Keycloak Flows

To actually use the authenticator, you must activate it in your Keycloak flows.

⚠ Please take care using all the flows you will set up in this section. Do so by using the global flow bindings of your realm and checking for every client that there is no override defined there.

For the Browser Flow, use something like this:

Default authentication flow, modified for the expire-user-account authenticator

For the Direct Grant Flow you need something like the following:

Direct grant flow

If you use external identity providers, it is very important to check the expiration after the provider authenticated the user. Therefore, you have to overwrite the Post Login Flow in your identity providers with a flow that includes this authenticator.

⚠ If you use any other flows, check whether you need to add this authenticator there as well.

Configuration

By default, the error message shown to a user is the default noAccessMessage:

No access message shown

However, you can configure the error message that is shown to the user. To do so, visit your flow's page, click the Actions button on this authenticator and choose Config. Then, configure the provider to your liking.

Configuration of this authenticator

Declarative User Profile

As of Keycloak 21 the declarative user profile is supported in the admin console, such that the user creation/editing etc. forms can be generated based on that.

If you enable the declarative-user-profile feature, you can add the accountExpirationDate property using the following JSON in the JSON editor:

{
      "name": "accountExpirationDate",
      "displayName": "Account Expiration Date",
      "selector": {
        "scopes": []
      },
      "permissions": {
        "edit": [
          "admin"
        ],
        "view": [
          "admin"
        ]
      },
      "annotations": {},
      "validations": {
        "pattern": {
          "pattern": "^\\d{4}-\\d{1,2}-\\d{1,2}$",
          "error-message": ""
        }
      },
      "group": null
    }

You can also get a similar configuration using the normal UI.

This configuration ensures that only admins can edit and view the attribute. If you want that users can view their own expiration date, enable the view permission for users as well.

About

Mirrored from https://rechenknecht.net/giz/keycloak/expire-user-accounts A Keycloak authenticator that denies access to users whose account expiration date has passed.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages