Enforce client role checks after successful Kerberos authentication in RHBK/Keycloak

Solution Verified - Updated -

Environment

  • Red Hat Build Of Keycloak (RHBK)
    • All versions

Issue

  • Does it possible to configure client role checks after successful Kerberos authentication ?
  • How to enforce client role checks after successful Kerberos authentication ?

Resolution

  • To enforce client role checks after successful Kerberos authentication, implement a custom Authenticator SPI that:

    • Executes after Kerberos authentication.

    • Performs client role validation for the authenticated user.

    • Fails the flow if the required client role is not found.

Note: Implementing a custom Authenticator SPI is outside the scope of standard product support. For assistance with custom development, engage Red Hat Consulting.

Root Cause

  • The Kerberos authenticator in RHBK is treated as a passive early authenticator in the browser login flow. Its behavior is:

    • If Kerberos authentication succeeds, the user is immediately authenticated.

    • The authentication flow skips any further executions or subflows (such as client role checks).

    • This is by design and considered expected behavior.

  • In contrast, when username/password login is used, the flow proceeds through subflows, including client role validations.

Diagnostic Steps

To confirm and understand the flow behavior in your environment:

  1. Examine the Authentication Flow
    Go to Authentication -> Flows in the RHBK admin console and review the custom browser flow.

  2. Observe Flow Behavior with Kerberos
    When a user logs in via Kerberos:

    • Verify the user is authenticated without hitting subflow steps.
    • Note that conditional executions (like client role checks) are bypassed.

  3. Compare with Username/Password Login

    • Attempt login using username and password.
    • Confirm that all expected flow steps and subflows are executed.

  4. Review Logs for Flow Execution Path

    • Enable kerberos DEBUG logging on authentication events to trace the exact path followed in each login scenario.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments