Dynamic Email Domain Validation in Keycloak with a Custom Authenticator
Keycloak's native email domain restriction is static, requiring realm configuration changes and redeployment to update the allow-list. For B2B SaaS products that onboard new tenants regularly, this creates an operational bottleneck. The article presents a custom Keycloak Authenticator called domain-email-validator that moves domain policy out of Keycloak entirely. At login time, it calls an external API to decide whether the user's email domain is permitted. This enables per-tenant domain rules (e.g., Tenant A allows acme.com; Tenant B allows globex.com and initech.com) and runtime updates without redeployment. The implementation covers the full architecture, Java code, and wiring into both browser and IDP flows. Operational tradeoffs are discussed, including the need for the external API to be highly available and low-latency to avoid login delays.
Enables dynamic, per-tenant email domain validation without Keycloak redeployments.