Description
A Keycloak plugin that lets users create personal access tokens (PATs) — scoped, named tokens that can be used as passwords anywhere HTTP Basic Auth is accepted.
Repository: https://github.com/mrulex-repo/keycloak-personal-access-tokens
Pull Request: #740
Discussion
No response
Motivation
Many services — Maven registries, Docker registries, npm proxies, IMAP servers — only speak HTTP Basic Auth. You can't give them an OAuth flow, and you don't want to use your real password. You want:
- A token that works as a password for that specific service
- Scoped to exactly the roles that service needs
- Revokable without changing your password
- With an optional expiry date
Keycloak doesn't have this built in. This plugin adds it.
Details
Users create PATs from the Keycloak Account UI. Each token carries a set of realm roles chosen at creation time. When a service authenticates a request, it sends Authorization: Basic base64(username:token) to the plugin's /auth endpoint. Keycloak validates the token and returns the user's PAT roles in the X-Roles response header.
The token is shown once on creation and never stored in plaintext — only an Argon2ID hash is kept.
Auth endpoint response headers
| Header |
Content |
X-User |
Keycloak username |
X-User-Id |
Keycloak user UUID |
X-Roles |
Comma-separated roles assigned to the token |
Pass X-Required-Role: <role> in the request to let Keycloak enforce the check and return 403 directly instead of leaving it to the caller.
Description
A Keycloak plugin that lets users create personal access tokens (PATs) — scoped, named tokens that can be used as passwords anywhere HTTP Basic Auth is accepted.
Repository: https://github.com/mrulex-repo/keycloak-personal-access-tokens
Pull Request: #740
Discussion
No response
Motivation
Many services — Maven registries, Docker registries, npm proxies, IMAP servers — only speak HTTP Basic Auth. You can't give them an OAuth flow, and you don't want to use your real password. You want:
Keycloak doesn't have this built in. This plugin adds it.
Details
Users create PATs from the Keycloak Account UI. Each token carries a set of realm roles chosen at creation time. When a service authenticates a request, it sends
Authorization: Basic base64(username:token)to the plugin's/authendpoint. Keycloak validates the token and returns the user's PAT roles in theX-Rolesresponse header.The token is shown once on creation and never stored in plaintext — only an Argon2ID hash is kept.
Auth endpoint response headers
X-UserX-User-IdX-RolesPass
X-Required-Role: <role>in the request to let Keycloak enforce the check and return403directly instead of leaving it to the caller.