[keycloak-user] brokered-login only

Marek Posolda mposolda at redhat.com
Mon Jun 25 05:25:29 EDT 2018 

Yes, sure.

If you need to just override themes, you may not need to override 
authentication flow. But if you need to override UsernamePassword 
Authenticator and change the implementation, so that it doesn't allow to 
login with username/password at all, then you will need to add this 
authenticator implementation into new browser authentication flow. Maybe 
instead of overriding UsernamePassword authenticator, it's easier to 
create new implementation of authenticator, which will just show the 
Freemarker form with links to brokers (No username/password). In that 
case you will also need to create new authentication flow and add that 
new authenticator implementation to it.

Marek

On 25/06/18 08:57, Corbetta, Francesco wrote:
> Hello
>
> What about changing the browser authentication flow?
>
> Best
>
> Francesco
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Marek Posolda
> Sent: 25 June 2018 08:49
> To: mj <lists at merit.unu.edu>; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] brokered-login only
>
> It's possible to remove username/password fields from login screen by doing custom theme and override freemarker template for login screen.
>
> You may need to remove tab "password" from account management as well so that users are not able to set their password here. This can be also achieved through theme.
>
> Thing is, that after changing themes, users will be still able to login with their username/passwords if they "simulate" sending the same HTTP request, which login screen is sending (they can also simulate changing their password in account management by HTTP request even if "password"
> tab is not in the UI). So if you expect to have malicious users, which would try to do something like this and you want to be safe and avoid this, you may need to change/override the UsernamePassword Authenticator too and avoid authentication of users with username/password. Then login with username/password will be impossible even if user is trying to "simulate" the request like this.
>
> Marek
>
>
> On 24/06/18 14:30, mj wrote:
>> Hi,
>>
>> Is there a way to create a realm in keycloak with a few brokered IdP's,
>>     *without* the local username/password fields on the login screen,
>> but
>> *only* a list of external IdP's to choose from?
>>
>> Thanks!
>>
>> MJ
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list