[keycloak-user] kc_idp_hint working as expected in 3.2.0?
Nathan Hoult
nhoult51 at gmail.com
Tue Aug 1 12:06:40 EDT 2017
According to the documentation here:
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java/params_forwarding.html
with an identity provider named 'google' I should be able to call:
/auth/realms/<Realm>/protocol/openid-connect/auth?client_id=<client
id>&state=<state>&redirect_uri=<a
url>&scope=openid&response_type=code&kc_idp_hint=google
and I shouldn't see the KC login page. After ~2 days of testing it seems
kc_idp_hint works the first time as long as no cookies are set but once I
visit the KC login page the kc_idp_hint no longer works. NOTE: setting a
default Identity Provider Redirector works just fine it seems.
Steps to reproduce:
1) go to /auth/realms/<Realm>/account
2) clear KC server cookies
3) append to the /auth URL: &kc_idp_hint=<a valid idp>
4) logs you in or at least see the idp login page
5) log out of KC
6) without clearing cookies try step #3
7) see KC login page <- bug?
My research (KC 3.2.0 git):
Identity Provider Redirector checks for the kc_idp_hint at
org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator:44
and is run from org.keycloak.authentication.DefaultAuthenticationFlow:200
but once KC has set a cookie it exits out of the DefaultAuthenticationFlow
at line 156 because line 110 has the IdentityProviderAuthenticator set as
AuthenticationSessionModel.ExecutionStatus.ATTEMPTED. It never ends up
running the IdentityProviderAuthenticator:44 and instead goes into the
login flow which returns HTML.
My workaround:
I added javascript to the login theme that looks for param "kc_idp_hint",
if it exists hide the whole page, then onload() look for element
id="zocial-<kc_idp_hint value>". If the element is found: click(), else:
reveals the page. I don't like this because 1) you can't hide idp, 2) takes
a little longer 3) can't override default idp with blank 4) just seems like
the wrong place to do it.
So, is this a bug or am I misunderstanding kc_idp_hint? If it is a bug I
find the code a little confusing though starting to make more sense but
maybe someone more familiar with it could fix it much faster than me?
Thank you!
More information about the keycloak-user
mailing list