Adaptive Authentication

Keycloak Adaptive Authentication Extension

authenticator Apache-2.0 unclaimed repository ↗
★ 91
by Martin Bartoš

Keycloak

Adaptive Authentication Demo

Keycloak Adaptive Authentication

  • Change authentication requirements in real-time based on wider context
  • Strengthen security - Require MORE factors when user attempt is suspicious or accessing sensitive resources
  • Better User Experience - Require LESS factors when risk of fraudulent user is low
  • Integration with remote services - For more information about the user or helping evaluating data via remote services
  • Gather more information about user in a secure way
  • Uses Risk-based authentication
  • Uses AI services for more complex risk evaluations

Risk Engine

Supported AI Engines

OpenAI ChatGPT logo OpenAI ChatGPT
Default model: gpt-4o-mini
Anthropic Claude logo Anthropic Claude
Default model: claude-haiku-4-5-20251001
Google Gemini logo Google Gemini (free tier available)
Default model: gemini-2.5-flash-lite
IBM Granite logo IBM Granite (deprecated)
Default model: granite-8b-code-instruct-128k

Risk is evaluated locally as much as possible. AI engines are only used for complex evaluations that require deeper contextual analysis. Since AI services are external dependencies, all user data (IP addresses, device info) is automatically anonymized before being sent to prevent information leakage. See Privacy and Anonymization Guide for details.

For more information and setup, see the AI Integration Guide.

Supported Keycloak Versions

Keycloak Version Supported
26.6.x Yes
26.5.x Testing ended June 2026
main (nightly) Yes

Getting Started

Build and try it out locally:

./mvnw -f core clean install -DskipTests -Pbuild-distribution
./mvnw exec:exec@start-server

The generated JAR (core/target/keycloak-adaptive-authn-*.jar) can be added to the /providers folder of your Keycloak distribution. It is also available as a Maven package:

<dependency>
    <groupId>io.github.mabartos</groupId>
    <artifactId>keycloak-adaptive-authn</artifactId>
    <version>${version}</version>
    <type>jar</type>
</dependency>

For full build instructions, installation options, and configuration, see the Start Guide.

Resources with more info

  1. Unlocking Adaptive Authentication (most recent)
  2. Adaptive Authentication
  3. AI-powered Keycloak
    • OpenShiftAI Roadshow @ Bratislava, Slovakia 2024
    • Slides
  4. Adaptive Authentication
    • Master's thesis completed 2024
    • (Information might differ)
    • Document

Connected Authentication Policies

NOTE: Authentication policies that were part of this Adaptive authentication initiative were moved to repository mabartos/keycloak-authn-policies.

Indexed automatically from public sources. Report incorrect data or request removal.