[keycloak-user] Google login without automatic user registration

Dmitry Telegin dt at acutus.pro
Fri Jan 18 16:31:49 EST 2019 

Yes, generally there are three ways to do things in Keycloak, namely admin console, REST API and kcadm.sh tool (that uses REST API under the hood). The latter may be preferable from the automation PoV since it hides the complexity of the API behind a (relatively) simple CLI wrapper.

I remember Craig Setera (in CC) was trying to create custom JS authenticator via kcadm.sh, so I hope he can tell you more.

Cheers,
Dmitry

On Fri, 2019-01-18 at 14:05 -0500, Scott Thibault wrote:
> Oh, I did not realize you create these from the admin console.  That should work.  I see there is a REST API as well, so I could automate the setup which is really nice.
> 
> Thanks!
> --Scott
> 
> > On Fri, Jan 18, 2019 at 1:54 PM Dmitry Telegin <dt at acutus.pro> wrote:
> > Hi Scott,
> > 
> > On Fri, 2019-01-18 at 13:03 -0500, Scott Thibault wrote:
> > > That does look like it does what we would want.  However, I don't think I can add custom authenticators.  I'm administering an Eclipse Che instance which embeds Keycloak for it's authentication.  Is there any other approach?
> > 
> > Just FYI, Che's embedded Keycloak is fully accessible [1], so it shouldn't be problematic install a single JS authenticator.
> > 
> > [1] https://www.eclipse.org/che/docs/che-6/user-management.html
> > 
> > Good luck,
> > Dmitry
> > 
> > > 
> > > --Scott
> > > 
> > > 
> > > > > > On Wed, Jan 16, 2019 at 5:52 PM Dmitry Telegin <dt at acutus.pro> wrote:
> > > > Hi Scott,
> > > > 
> > > > I think Geoffrey Cleaves has done this with the help of custom authenticator, please check out this thread: http://lists.jboss.org/pipermail/keycloak-user/2018-December/016703.html
> > > > 
> > > > Cheers,
> > > > Dmitry Telegin
> > > > CTO, Acutus s.r.o.
> > > > Keycloak Consulting and Training
> > > > 
> > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > > +42 (022) 888-30-71
> > > > E-mail: info at acutus.pro
> > > > 
> > > > On Wed, 2019-01-16 at 14:12 -0500, Scott Thibault wrote:
> > > > > Out-of-the-box, the First Broker Login flow automatically registers
> > > > > non-existing users authenticated by an identity provider.  I would not like
> > > > > anyone with a valid Google account to be able to login, but only those with
> > > > > existing accounts.  However, any attempt to create a custom flow without
> > > > > the "Create User If Unique" item leads to an error=invalid_user_credentials.
> > > > > 
> > > > > Is there some solution that would allow me to prevent users without an
> > > > > existing account to login via the Google identity provider?
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> >

More information about the keycloak-user mailing list