Inventage AG
Technoparkstrasse 1
8005Zürich
+41 43 343 20 20

Keycloak Extensions

We love Keycloak for its openness. It can easily grow with evolving requirements. Keycloak provides a large set of functionality out-of-the-box. The true power of Keycloak can be unleashed by community extensions or by extending it yourself. Read our tutorials to learn more.

We have realized the following extensions so far

Support for Step-up

Depending on the sensitivity of the involved data of an application the requirements for the quality of authentication can be different. For accessing less sensitive information the user is only required to do a weak authentication. When requesting more sensitive data the user is forced to do a step-up authentication to a strong level by using a second factor.

We have implemented a solution based on Keycloak to support a step-up authentication within the service portal of a bank. As of July 2020 the ticket KEYCLOAK-847 for the step-up feature within Keycloak is still open.

Support for Multiple Second Factor Types

To enhance the user experience a service provider often wants to offer multiple second factor types to their customers. Keycloak does not provide this functionality out-of-the-box. However, by using the powerful Authentication Service Provider Interface (SPI) within Keycloak we have extended the authentication flow by giving the user a choice for the second factor to be used.

Support for a Custom Second Factor

The openess of Keycloak allows the integration of custom second factor types. They can either be found in the community (like SMS) or built on your own. We have built 3 different factors for e-banking systems. One factor integrates the KOBIL SecOPTIC elegance for login and signature transactions. The other are custom factors based on mobile devices.

WAF Integration

Identity and access management (IAM) systems like Keycloak are just one brick in the security architecture. An other often used component is a web application firewall (WAF). The IAM and the WAF are communicating together and in many scenarios the IAM is controlling the authorisation within the WAF. Many WAF products provide an API for this. We have extended Keycloak to use such an API for the Airlock WAF.

Hasura Integration

Hasura is a very popular GraphQL gateway server with strong data security concerns. With its JWT authorization mode every request is authorised upon the token from the Authorization header. The token must contain specific claims for Hasura. Our Keycloak extension provides a protocol mapper for setting the necessary claims.