[keycloak-user] remove permission to a group of users (veto keycloak auth)

David Delbecq david_delbecq at trimble.com
Tue Jan 10 07:06:43 EST 2017


Indeed that what I finally did. Simple solutions sometimes slip my mind.
Was looking for too complex :)

On Tue, Jan 3, 2017 at 6:24 PM Bill Burke <bburke at redhat.com> wrote:

> You could do it in a servlet filter.
>
>
> On 1/3/17 10:09 AM, David Delbecq wrote:
> > Hello,
> > I'm trying to find out the best way to migrate one of our current
> behaviour
> > to a keycloak based installation.
> >
> > We currently have a many to one relationship between user account and
> > companies. A company can have multiple users in the application. We need
> to
> > be able to disable a complete company on one application. What is the
> best
> > approach to doing this?
> >
> > I tried (and failed) to create an additional required login module in
> > wildfly and have this return false on login() if company has not been
> > enabled in application. It seems that when you come with a bearer token,
> > you don't go into login modules (neither mine nor the keycloak one), you
> > are just immediately recognized by subsystem which then bypass the jaas
> > login modules of keycloak.
> >
> > I can't just disable the users, as they still need to be able to log in
> on
> > our other applications.
> >
> > I was thinking into using Groups in keycloak, one for each
> > company&application combo and add / remove an automatic required role to
> > block access to disabled companies. But it means a double maintenance
> > between keycloak and our internal database to maintain the list of
> > companies.
> >
> > Is there someway to tap in the the wildfly keycloak subsystem to veto
> valid
> > authentications?
> >
> > thank you.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-- 
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq at trimbletl.com
<http://www.trimbletl.com/>


More information about the keycloak-user mailing list