PHPackages                             julabo/keycloak\_yourls - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. julabo/keycloak\_yourls

ActiveYourls-plugin[Authentication &amp; Authorization](/categories/authentication)

julabo/keycloak\_yourls
=======================

Provides Keycloak user authentication with enhanced security

1.2.0(2w ago)01611MITPHPPHP &gt;=8.0

Since Dec 9Pushed 2w agoCompare

[ Source](https://github.com/julabo/keycloak_yourls)[ Packagist](https://packagist.org/packages/julabo/keycloak_yourls)[ RSS](/packages/julabo-keycloak-yourls/feed)WikiDiscussions master Synced today

READMEChangelog (5)Dependencies (2)Versions (6)Used By (1)

OIDC Keycloak Plugin for YOURLS
===============================

[](#oidc-keycloak-plugin-for-yourls)

This plugin provides OpenID Connect (OIDC) authentication integration with Keycloak for YOURLS, allowing users to authenticate using their Keycloak credentials instead of traditional YOURLS authentication.

Features
--------

[](#features)

- **OpenID Connect Authentication**: Seamless integration with Keycloak OIDC
- **Rate Limiting**: Built-in protection against brute force attacks
- **Token Management**: Automatic token refresh and session handling
- **Security**: Bypass YOURLS native authentication when enabled
- **Database Integration**: Stores rate limiting data in YOURLS database

Installation
------------

[](#installation)

1. Extract the plugin files to the `user/plugins/keycloak/` directory in your YOURLS installation
2. Run `composer install` in the plugin directory to install dependencies
3. Enable the plugin in your YOURLS admin panel or by adding it to your configuration

Configuration Options
---------------------

[](#configuration-options)

The plugin supports configuration through environment variables (recommended) or direct configuration constants. All settings can be defined in a `.env` file or YOURLS configuration.

### OIDC Provider Settings

[](#oidc-provider-settings)

SettingEnvironment VariableRequiredDescriptionBase URL`OIDC_BASE_URL`YesThe base URL of your Keycloak server (e.g., `https://auth.example.com`)Realm`OIDC_REALM`YesThe Keycloak realm nameClient Name`OIDC_CLIENT_NAME`YesThe client ID configured in KeycloakClient Secret`OIDC_CLIENT_SECRET`YesThe client secret from KeycloakRedirect URL`OIDC_REDIRECT_URL`YesThe callback URL (typically `https://yourdomain.com/admin/`)### Rate Limiting Settings

[](#rate-limiting-settings)

SettingEnvironment VariableDefaultDescriptionMax Attempts`OIDC_MAX_AUTH_ATTEMPTS`5Maximum failed authentication attempts before lockoutLockout Time`OIDC_AUTH_LOCKOUT_TIME`900Lockout duration in seconds (900 = 15 minutes)Token Refresh`OIDC_TOKEN_REFRESH_THRESHOLD`300Time in seconds before token expiry to refresh (300 = 5 minutes)### Security Settings

[](#security-settings)

SettingEnvironment VariableDefaultDescriptionBypass YOURLS Auth`OIDC_BYPASS_YOURLS_AUTH`trueWhether to bypass native YOURLS authenticationEnvironment Configuration Example
---------------------------------

[](#environment-configuration-example)

Create or update your `.env` file with the following settings:

```
# OIDC Configuration
OIDC_BASE_URL=https://auth.example.com
OIDC_REALM=YourRealm
OIDC_CLIENT_NAME=yourls
OIDC_CLIENT_SECRET=your-client-secret-here
OIDC_REDIRECT_URL=https://yourdomain.com/admin/

# Rate Limiting Configuration
OIDC_MAX_AUTH_ATTEMPTS=5
OIDC_AUTH_LOCKOUT_TIME=900
OIDC_TOKEN_REFRESH_THRESHOLD=300

# Security Settings
OIDC_BYPASS_YOURLS_AUTH=true
```

Keycloak Configuration
----------------------

[](#keycloak-configuration)

### Client Setup

[](#client-setup)

1. **Create a new client** in your Keycloak realm
2. **Set Client ID** to match `OIDC_CLIENT_NAME`
3. **Enable Client Authentication** (for confidential clients)
4. **Set Valid Redirect URIs** to your `OIDC_REDIRECT_URL`
5. **Copy the Client Secret** to use as `OIDC_CLIENT_SECRET`
6. **Proof Key for Code Exchange Code Challenge Method** set to `S256`

### Required Client Settings

[](#required-client-settings)

- **Access Type**: Confidential
- **Standard Flow Enabled**: ON
- **Direct Access Grants Enabled**: ON (optional)
- **Valid Redirect URIs**: Your YOURLS admin URL
- **Web Origins**: Your YOURLS domain

Security Considerations
-----------------------

[](#security-considerations)

### Rate Limiting

[](#rate-limiting)

The plugin automatically creates a database table for tracking failed authentication attempts:

- **IP-based tracking**: Each IP address is tracked separately
- **Progressive lockout**: After reaching max attempts, IP is locked for the configured time
- **Automatic cleanup**: Old records and expired locks are automatically cleaned
- **Reset on success**: Successful authentication clears the attempt counter

### Token Security

[](#token-security)

- Tokens are handled securely and refreshed automatically
- Session management integrates with YOURLS native sessions
- Configurable refresh threshold which prevents token expiration during active use

Database Tables
---------------

[](#database-tables)

The plugin creates the following table:

```
CREATE TABLE `yourls_oidc_rate_limit` (
    `ip` VARCHAR(45) NOT NULL,
    `attempts` INT(11) NOT NULL DEFAULT 0,
    `locked_until` TIMESTAMP NULL DEFAULT NULL,
    `last_attempt` TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
    PRIMARY KEY (`ip`),
    KEY `locked_until` (`locked_until`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4
```

Troubleshooting
---------------

[](#troubleshooting)

### Common Issues

[](#common-issues)

1. **"Client not found" error**

    - Verify matches the client ID in Keycloak `OIDC_CLIENT_NAME`
    - Ensure the client is enabled in Keycloak
2. **"Invalid redirect URI" error**

    - Check that matches exactly with Keycloak client settings `OIDC_REDIRECT_URL`
    - Ensure the URL includes the protocol (https://)
3. **Rate limiting not working**

    - Verify database permissions allow table creation
    - Check that the rate limit constants are properly defined
4. **Authentication loop**

    - Confirm is set to `true` `OIDC_BYPASS_YOURLS_AUTH`
    - Verify session handling is working correctly

### Debugging

[](#debugging)

Enable debugging by checking YOURLS error logs and Keycloak server logs. The plugin respects YOURLS debugging settings.

Dependencies
------------

[](#dependencies)

- **PHP**: &gt;= 7.4
- **YOURLS**: &gt;= 1.8
- **Composer packages**:
    - `league/oauth2-client`
    - `stevenmaguire/oauth2-keycloak`

License
-------

[](#license)

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for full license text.

Support
-------

[](#support)

For issues and feature requests, please refer to your YOURLS plugin documentation or contact your system administrator.

###  Health Score

42

↑

FairBetter than 88% of packages

Maintenance96

Actively maintained with recent releases

Popularity9

Limited adoption so far

Community11

Small or concentrated contributor base

Maturity44

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~47 days

Total

5

Last Release

19d ago

PHP version history (2 changes)1.0.0PHP &gt;=7.4

1.2.0PHP &gt;=8.0

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/1804614?v=4)[Jan Leehr](/maintainers/jleehr)[@jleehr](https://github.com/jleehr)

---

Top Contributors

[![jleehr](https://avatars.githubusercontent.com/u/1804614?v=4)](https://github.com/jleehr "jleehr (8 commits)")

### Embed Badge

![Health badge](/badges/julabo-keycloak-yourls/health.svg)

```
[![Health](https://phpackages.com/badges/julabo-keycloak-yourls/health.svg)](https://phpackages.com/packages/julabo-keycloak-yourls)
```

###  Alternatives

[mainick/keycloak-client-bundle

Keycloak client bundle for Symfony, designed to simplify Keycloak integration into your application and provide additional functionality for token management and user information access

4532.7k](/packages/mainick-keycloak-client-bundle)[spookygames/flarum-ext-auth-keycloak

Allow users to sign in/up/out with Keycloak.

171.5k](/packages/spookygames-flarum-ext-auth-keycloak)[voidagency/vactory_starter_kit

Vactory is a custom Drupal profile which is developed and released by VOID Agency.

1021.6k](/packages/voidagency-vactory-starter-kit)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
