PHPackages julabo/keycloak\_yourls - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. julabo/keycloak\_yourls ActiveYourls-plugin[Authentication & Authorization](/categories/authentication) julabo/keycloak\_yourls ======================= Provides Keycloak user authentication with enhanced security 1.1.0(5mo ago)0811MITPHPPHP >=7.4 Since Dec 9Pushed 5mo agoCompare [ Source](https://github.com/julabo/keycloak_yourls)[ Packagist](https://packagist.org/packages/julabo/keycloak_yourls)[ RSS](/packages/julabo-keycloak-yourls/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (4)Dependencies (1)Versions (5)Used By (1) OIDC Keycloak Plugin for YOURLS =============================== [](#oidc-keycloak-plugin-for-yourls) This plugin provides OpenID Connect (OIDC) authentication integration with Keycloak for YOURLS, allowing users to authenticate using their Keycloak credentials instead of traditional YOURLS authentication. Features -------- [](#features) - **OpenID Connect Authentication**: Seamless integration with Keycloak OIDC - **Rate Limiting**: Built-in protection against brute force attacks - **Token Management**: Automatic token refresh and session handling - **Security**: Bypass YOURLS native authentication when enabled - **Database Integration**: Stores rate limiting data in YOURLS database Installation ------------ [](#installation) 1. Extract the plugin files to the `user/plugins/keycloak/` directory in your YOURLS installation 2. Run `composer install` in the plugin directory to install dependencies 3. Enable the plugin in your YOURLS admin panel or by adding it to your configuration Configuration Options --------------------- [](#configuration-options) The plugin supports configuration through environment variables (recommended) or direct configuration constants. All settings can be defined in a `.env` file or YOURLS configuration. ### OIDC Provider Settings [](#oidc-provider-settings) SettingEnvironment VariableRequiredDescriptionBase URL`OIDC_BASE_URL`YesThe base URL of your Keycloak server (e.g., `https://auth.example.com`)Realm`OIDC_REALM`YesThe Keycloak realm nameClient Name`OIDC_CLIENT_NAME`YesThe client ID configured in KeycloakClient Secret`OIDC_CLIENT_SECRET`YesThe client secret from KeycloakRedirect URL`OIDC_REDIRECT_URL`YesThe callback URL (typically `https://yourdomain.com/admin/`)### Rate Limiting Settings [](#rate-limiting-settings) SettingEnvironment VariableDefaultDescriptionMax Attempts`OIDC_MAX_AUTH_ATTEMPTS`5Maximum failed authentication attempts before lockoutLockout Time`OIDC_AUTH_LOCKOUT_TIME`900Lockout duration in seconds (900 = 15 minutes)Token Refresh`OIDC_TOKEN_REFRESH_THRESHOLD`300Time in seconds before token expiry to refresh (300 = 5 minutes)### Security Settings [](#security-settings) SettingEnvironment VariableDefaultDescriptionBypass YOURLS Auth`OIDC_BYPASS_YOURLS_AUTH`trueWhether to bypass native YOURLS authenticationEnvironment Configuration Example --------------------------------- [](#environment-configuration-example) Create or update your `.env` file with the following settings: ``` # OIDC Configuration OIDC_BASE_URL=https://auth.example.com OIDC_REALM=YourRealm OIDC_CLIENT_NAME=yourls OIDC_CLIENT_SECRET=your-client-secret-here OIDC_REDIRECT_URL=https://yourdomain.com/admin/ # Rate Limiting Configuration OIDC_MAX_AUTH_ATTEMPTS=5 OIDC_AUTH_LOCKOUT_TIME=900 OIDC_TOKEN_REFRESH_THRESHOLD=300 # Security Settings OIDC_BYPASS_YOURLS_AUTH=true ``` Keycloak Configuration ---------------------- [](#keycloak-configuration) ### Client Setup [](#client-setup) 1. **Create a new client** in your Keycloak realm 2. **Set Client ID** to match `OIDC_CLIENT_NAME` 3. **Enable Client Authentication** (for confidential clients) 4. **Set Valid Redirect URIs** to your `OIDC_REDIRECT_URL` 5. **Copy the Client Secret** to use as `OIDC_CLIENT_SECRET` 6. **Proof Key for Code Exchange Code Challenge Method** set to `S256` ### Required Client Settings [](#required-client-settings) - **Access Type**: Confidential - **Standard Flow Enabled**: ON - **Direct Access Grants Enabled**: ON (optional) - **Valid Redirect URIs**: Your YOURLS admin URL - **Web Origins**: Your YOURLS domain Security Considerations ----------------------- [](#security-considerations) ### Rate Limiting [](#rate-limiting) The plugin automatically creates a database table for tracking failed authentication attempts: - **IP-based tracking**: Each IP address is tracked separately - **Progressive lockout**: After reaching max attempts, IP is locked for the configured time - **Automatic cleanup**: Old records and expired locks are automatically cleaned - **Reset on success**: Successful authentication clears the attempt counter ### Token Security [](#token-security) - Tokens are handled securely and refreshed automatically - Session management integrates with YOURLS native sessions - Configurable refresh threshold which prevents token expiration during active use Database Tables --------------- [](#database-tables) The plugin creates the following table: ``` CREATE TABLE `yourls_oidc_rate_limit` ( `ip` VARCHAR(45) NOT NULL, `attempts` INT(11) NOT NULL DEFAULT 0, `locked_until` TIMESTAMP NULL DEFAULT NULL, `last_attempt` TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, PRIMARY KEY (`ip`), KEY `locked_until` (`locked_until`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ``` Troubleshooting --------------- [](#troubleshooting) ### Common Issues [](#common-issues) 1. **"Client not found" error** - Verify matches the client ID in Keycloak `OIDC_CLIENT_NAME` - Ensure the client is enabled in Keycloak 2. **"Invalid redirect URI" error** - Check that matches exactly with Keycloak client settings `OIDC_REDIRECT_URL` - Ensure the URL includes the protocol (https://) 3. **Rate limiting not working** - Verify database permissions allow table creation - Check that the rate limit constants are properly defined 4. **Authentication loop** - Confirm is set to `true` `OIDC_BYPASS_YOURLS_AUTH` - Verify session handling is working correctly ### Debugging [](#debugging) Enable debugging by checking YOURLS error logs and Keycloak server logs. The plugin respects YOURLS debugging settings. Dependencies ------------ [](#dependencies) - **PHP**: >= 7.4 - **YOURLS**: >= 1.8 - **Composer packages**: - `league/oauth2-client` - `stevenmaguire/oauth2-keycloak` License ------- [](#license) This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for full license text. Support ------- [](#support) For issues and feature requests, please refer to your YOURLS plugin documentation or contact your system administrator. ### Health Score 33 — LowBetter than 75% of packages Maintenance73 Regular maintenance activity Popularity5 Limited adoption so far Community9 Small or concentrated contributor base Maturity38 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 4 Last Release 151d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/3b7bfd4fc23a59188b07329a730d0ca969a2720493db2845e11e7d24a5f24e1f?d=identicon)[jleehr](/maintainers/jleehr) --- Top Contributors [![jleehr](https://avatars.githubusercontent.com/u/1804614?v=4)](https://github.com/jleehr "jleehr (6 commits)") ### Embed Badge ![Health badge](/badges/julabo-keycloak-yourls/health.svg) ``` [![Health](https://phpackages.com/badges/julabo-keycloak-yourls/health.svg)](https://phpackages.com/packages/julabo-keycloak-yourls) ``` ### Alternatives [namshi/jose JSON Object Signing and Encryption library for PHP. 1.8k99.6M101](/packages/namshi-jose)[league/oauth1-client OAuth 1.0 Client Library 99698.8M106](/packages/league-oauth1-client)[gesdinet/jwt-refresh-token-bundle Implements a refresh token system over Json Web Tokens in Symfony 70516.4M35](/packages/gesdinet-jwt-refresh-token-bundle)[league/oauth2-google Google OAuth 2.0 Client Provider for The PHP League OAuth2-Client 41721.2M118](/packages/league-oauth2-google)[illuminate/auth The Illuminate Auth package. 9327.3M1.0k](/packages/illuminate-auth)[beatswitch/lock A flexible, driver based Acl package for PHP 5.4+ 870304.7k2](/packages/beatswitch-lock) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)