[keycloak-dev] Authentication flow
Belinda Cowey
Belinda.Cowey at digital.homeoffice.gov.uk
Tue Nov 5 10:41:24 EST 2019
I am trying to configure an authentication flow that restricts login to a particular group but initially when I overrode the public client authentication flow, we got this error which indicates the user object was null. Initially script did a user.hasRole, but now does isMember. I only had the script as part of the new flow.
09:51:07,319 ERROR [org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator] (default task-15316) org.keycloak.scripting.ScriptExecutionException: Could not execute script 'restrict-public-db-admin' problem was: TypeError: null has no such function "hasRole" in <eval> at line number 31
I then added in these flows which now authenticate me, but the script doesn't even execute now and always gives me a token.
Cookie - Alternative
Identity Provider Redirector - Alternative
Username Password Form - Required
Script - Required
I setup the following
New role: db-admin. No users have been assigned to this role
New group: db-admin. Assigned db-admin role
I am a member of the group db-admin
New authentication flow: restricted-public
Script: restrict-public-db-admin which only passes authentication when user is a member of the group db-admin
New public client: restricted-public. Authentication Flow Overrides set to restricted-public authentication flow
We have confirmed that -Dkeycloak.profile.feature.scripts is enabled, as per https://www.keycloak.org/docs/7.0/server_admin/#executions
We followed this example https://stackoverflow.com/a/54384513
Are we implementing/using the authorisation flow override incorrectly? How do I restrict a client to users in a group only?
Thanks
More information about the keycloak-dev
mailing list