[keycloak-user] remove permission to a group of users (veto keycloak auth)

[David Delbecq]

Hello,
I'm trying to find out the best way to migrate one of our current behaviour
to a keycloak based installation.

We currently have a many to one relationship between user account and
companies. A company can have multiple users in the application. We need to
be able to disable a complete company on one application. What is the best
approach to doing this?

I tried (and failed) to create an additional required login module in
wildfly and have this return false on login() if company has not been
enabled in application. It seems that when you come with a bearer token,
you don't go into login modules (neither mine nor the keycloak one), you
are just immediately recognized by subsystem which then bypass the jaas
login modules of keycloak.

I can't just disable the users, as they still need to be able to log in on
our other applications.

I was thinking into using Groups in keycloak, one for each
company&application combo and add / remove an automatic required role to
block access to disabled companies. But it means a double maintenance
between keycloak and our internal database to maintain the list of
companies.

Is there someway to tap in the the wildfly keycloak subsystem to veto valid
authentications?

thank you.
-- 
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq at trimbletl.com
<http://www.trimbletl.com/>