This provider allows you to set an individual expiration date for user accounts. Once that date has passed, users are no longer able to log in and disabled in Keycloak.
Place the generated jar-file into the Keycloak deployments folder.
In the Keycloak Wildfly distribution it is located at /opt/jboss/keycloak/standalone/deployments
, while in the Quarkus distribution it is located at /opt/keycloak/providers
.
To actually use the authenticator, you must activate it in your Keycloak flows.
⚠ Please take care using all the flows you will set up in this section. Do so by using the global flow bindings of your realm and checking for every client that there is no override defined there.
For the Browser Flow
, use something like this:
For the Direct Grant Flow
you need something like the following:
If you use external identity providers, it is very important to check the expiration after the provider authenticated the user. Therefore, you have to overwrite the Post Login Flow
in your identity providers with a flow that includes this authenticator.
⚠ If you use any other flows, check whether you need to add this authenticator there as well.
By default, the error message shown to a user is the default noAccessMessage
:
However, you can configure the error message that is shown to the user.
To do so, visit your flow's page, click the Actions
button on this authenticator and choose Config
.
Then, configure the provider to your liking.
As of Keycloak 21 the declarative user profile is supported in the admin console, such that the user creation/editing etc. forms can be generated based on that.
If you enable the declarative-user-profile
feature, you can add the accountExpirationDate
property using the following JSON in the JSON editor:
{
"name": "accountExpirationDate",
"displayName": "Account Expiration Date",
"selector": {
"scopes": []
},
"permissions": {
"edit": [
"admin"
],
"view": [
"admin"
]
},
"annotations": {},
"validations": {
"pattern": {
"pattern": "^\\d{4}-\\d{1,2}-\\d{1,2}$",
"error-message": ""
}
},
"group": null
}
You can also get a similar configuration using the normal UI.
This configuration ensures that only admins can edit
and view
the attribute.
If you want that users can view their own expiration date, enable the view
permission for users as well.