Extensions

Adaptive Authentication
Leverage Authentication policies, Risk-based authentication, and AI as part of an Adaptive authentication initiative.
Ansible collection for Keycloak
Collection to install and configure Keycloak
Apple Identity Provider
Sign in with Apple using either a browser or natively by token_exchange.
BundID Integration
Integrate German BundID identity provider (https://id.bund.de) including support for attribute requests and mapping of STORK QAA levels.
CAS Login Procotol
Implements the CAS SSO protocol according to official specification by adding a new client type to the Keycloak admin console.
Cassandra Datastore
Use Apache Cassandra as storage backend. Can be used to just replace Infinispan as distributed cache. Requires experimental map storage feature.
Configuration as Code for Keycloak realms
Utility to ensure the desired configuration state for a realm based on a JSON or YAML file.
Discord Identity Provider
Keycloak extension to add discord as an identity provider.
Event Listener Utilities
Useful event listener implementations and utilities. Webhooks, scripts, HTTP, etc.
Express.js GraphQL
Add Keyloak Authentication and Authorization to your GraphQL server.
France Connect Identity Provider
Extension to add support for the french administration Identity Provider France Connect.
Full export endpoint
Provides an endpoint allowing the full export of a realm, without having to restart keycloak.
GitHub SSH key mapper
An attribute mapper for the Github Identity Provider. The mapper can fetch the user's SSH keys from github's REST API.
HiOrg-Server Identity Provider
Keycloak extension to add HiOrg-Server as an identity provider.
Home IdP Discovery
The authenticator redirects users to their home identity provider based on their email address and domain.
IBM Security Verify Authenticator
Adds various authentication methods such as One-time-passcode, QR code, Push notifications, and FIDO2.
Impersonation Policy Enforcer
Enforces an impersonation policy restricting impersonators from accessing clients unless holding an associated client role.
JSON Remote Claim Mapper
Protocol mapper to retrieve JSON data from a remote HTTP endpoint.
Japanese documentation translation
Japanese translation of the Keycloak documentation.
Keycloak External Claim Mapper
Implementation of the keycloak internal SPI protocol-mapper, that allows to fetch remote http json data, transform and include it into user JWT.
Keycloak Multi-Tenancy
Keycloak extension for creating multi-tenant IAM for B2B SaaS applications.
Keycloakify
A tool for creating Keycloak theme with React
MFA Plugin collection
A collection of MFA plugins: SMS authenticator, Enforce MFA, Native App MFA integration.
MQTT event listener
An event listener using the MQTT protocol.
Magic Link Login
Allow users to authenticate through a link sent to their email address instead of using a password.
Metrics SPI
Adds a Metrics Endpoint to Keycloak in Prometheus format.
ORCID Social Identity Provider
Enables ORCID as an Identity Provider.
OpenFGA Event Publisher
Keycloak extension enables event integration between Keycloak and OpenFGA for Fine-Grained Authorization (FGA).
Organizations Extensions
Comprehensive extensions set for single realm multi-tenancy.
PII Data Encryption
Enables database-level encryption of PII user data such as username, email, first name, last name and custom user attributes.
Passport.js strategy
Passport.js strategy that enables the use of multiple realms in the same application.
Python Client
Client library for python applications.
RabbitMQ event listener
Event listener using the RabbitMQ message broker.
Regex role importer
This extension provides a broker mapper that maps a multivalued OIDC claim or SAML attribute to roles based on regular expressions.
Restrict Client Auth
The authenticator supports role-based or policy-based access decisions and can be enabled on a per-client basis.
Testcontainers
A Testcontainers implementation for Keycloak.
WS-Federation protocol
Implementation of the WS-Federation passive requestor model according to the official specification.
privacyIDEA two factor authentication
Adds 2nd factors to keycloak, that are authenticated against your central privacyIDEA system.