Sign in via Keycloak

Cloudflare's WAF inspects the POST body of Keycloak's login form and injects an Exposed-Credential-Check header. A custom Keycloak authenticator plugin reads that header — after Keycloak has validated the credentials — and denies the login if the password is breached.

Try a scenario

Flow:

Browser → Keycloak login page
POST credentials → Cloudflare WAF checks password against breach DB
WAF injects Exposed-Credential-Check: 1 or 4
Keycloak verifies username/password against user store
If valid → custom plugin reads the header → denies if breached

Why post-credentials check? Denying only after Keycloak confirms the credentials match a real account avoids leaking which usernames exist via the breach check. Wrong passwords fail at the normal step; valid-but-breached passwords fail at the plugin.