Prerequisites:
- A running Keycloak instance
- JDK 21 available locally if you want to build from source
- A Microsoft Azure App Registration for the flow
The provider uses Microsoft’s consumer OAuth endpoints. Corporate or
common tenant configurations are not suitable for this flow because Xbox Live authentication requires the consumer setup.Create the Azure App Registration
Create a Microsoft app registration with these settings:
- Redirect URI:
https://your-keycloak-url/realms/{realm}/broker/{alias}/endpoint - Delegated API permission:
XboxLive.signin - Client secret: create one under
Certificates & secrets
minecraft, so the redirect URI is typically https://your-keycloak-url/realms/{realm}/broker/minecraft/endpoint. If you change the alias in Keycloak, update the redirect URI to match.The Keycloak identity provider later uses the Azure app’s client ID and client secret.Check Minecraft API Whitelisting
Some Minecraft authentication scenarios require Mojang or Minecraft API whitelisting in addition to the Azure OAuth setup.
- Reference: Minecraft help article
Obtain the Provider JAR
Use the published artifact from GitHub Packages:The build output is a single shaded JAR named
- Maven repository:
https://maven.pkg.github.com/groundsgg/keycloak-minecraft-idp - Artifact:
gg.grounds:keycloak-minecraft-idp:<version>
keycloak-minecraft-idp.jar.Install the Provider into Keycloak
Copy the JAR into Keycloak’s providers directory:Then rebuild Keycloak:Restart Keycloak after the build completes.
Verify that Keycloak starts without provider loading errors before you continue.
Add the Identity Provider
In the Keycloak admin UI:
- Open your realm.
- Go to
Identity Providers. - Click
Add provider. - Select
Minecraft.
Verify that
Minecraft appears in Identity Providers before you move on to configuration.