[keycloak-dev] Authentication SPI - Pinning the IDP

[gambol]

Hi Luke

Unfortunately I didn't find a solution, though we've not moved off v4.5.0
yet so hoping something is in the latest or the very least on the horizon
:-(

Rohith


On Fri, Feb 8, 2019, 12:27 AM <luke at code-house.org wrote:

> I come across same issue, have you any found solution?
>
> Best regards,
> Łukasz
>
> > On 9 Nov 2018, at 11:11, gambol <gambol99 at gmail.com> wrote:
> >
> > Hiya
> >
> > Hopefully someone know's a way around this ..
> >
> > We have a requirement to pin a keycloak client to a specific group of
> login
> > options i.e. they can only login via a social provider and not a local
> > username/password, BUT we also wish to allow certain users the ability to
> > override the behavior. I mocked up authenticator which used the
> > IdentityProviderSpi.IDENTITY_PROVIDER_SPI_NAME checked it against the a
> > configurable list for the authenticator and also looked for a user
> override
> > attribute. Now on first login that works fine, but as the access token
> > comes up for refresh the IdentityProviderSpi.IDENTITY_PROVIDER_SPI_NAME
> is
> > not retained (i guess because it's now a sso session refresh and not a
> > login) and so the authenticator throws the error message.
> >
> > Is it possible to hook into login only? .. Anyone think of another way
> > around it? :-) .. I tried using SetClientNotes / SetAuthNote to retain
> the
> > logged in provider, but that doesn't appear to work either.
> >
> > Disclaimer: I know the official stance would be the IDP provides
> > authentication only with authorization handled by the application end,
> but
> > in many case's third party applications can't support this .. so was
> hoping
> > we could control it at source.
> >
> > Rohith
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>