[keycloak-user] Google login without automatic user registration

Fri Jan 18 17:18:42 EST 2019

I've attached a subset of my (Bash) setup script.  This is the part that
handles the script authenticator setup.  Hope it helps.

Craig

=================================
*Craig Setera*

*Chief Technology Officer*

On Fri, Jan 18, 2019 at 3:31 PM Dmitry Telegin <dt at acutus.pro> wrote:

> Yes, generally there are three ways to do things in Keycloak, namely admin
> console, REST API and kcadm.sh tool (that uses REST API under the hood).
> The latter may be preferable from the automation PoV since it hides
> the complexity of the API behind a (relatively) simple CLI wrapper.
>
> I remember Craig Setera (in CC) was trying to create custom JS
> authenticator via kcadm.sh, so I hope he can tell you more.
>
> Cheers,
> Dmitry
>
> On Fri, 2019-01-18 at 14:05 -0500, Scott Thibault wrote:
> > Oh, I did not realize you create these from the admin console.  That
> should work.  I see there is a REST API as well, so I could automate the
> setup which is really nice.
> >
> > Thanks!
> > --Scott
> >
> > > On Fri, Jan 18, 2019 at 1:54 PM Dmitry Telegin <dt at acutus.pro> wrote:
> > > Hi Scott,
> > >
> > > On Fri, 2019-01-18 at 13:03 -0500, Scott Thibault wrote:
> > > > That does look like it does what we would want.  However, I don't
> think I can add custom authenticators.  I'm administering an Eclipse Che
> instance which embeds Keycloak for it's authentication.  Is there any other
> approach?
> > >
> > > Just FYI, Che's embedded Keycloak is fully accessible [1], so
> it shouldn't be problematic install a single JS authenticator.
> > >
> > > [1] https://www.eclipse.org/che/docs/che-6/user-management.html
> > >
> > > Good luck,
> > > Dmitry
> > >
> > > >
> > > > --Scott
> > > >
> > > >
> > > > > > > On Wed, Jan 16, 2019 at 5:52 PM Dmitry Telegin <dt at acutus.pro>
> wrote:
> > > > > Hi Scott,
> > > > >
> > > > > I think Geoffrey Cleaves has done this with the help of custom
> authenticator, please check out this thread:
> http://lists.jboss.org/pipermail/keycloak-user/2018-December/016703.html
> > > > >
> > > > > Cheers,
> > > > > Dmitry Telegin
> > > > > CTO, Acutus s.r.o.
> > > > > Keycloak Consulting and Training
> > > > >
> > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > > > +42 (022) 888-30-71
> > > > > E-mail: info at acutus.pro
> > > > >
> > > > > On Wed, 2019-01-16 at 14:12 -0500, Scott Thibault wrote:
> > > > > > Out-of-the-box, the First Broker Login flow automatically
> registers
> > > > > > non-existing users authenticated by an identity provider.  I
> would not like
> > > > > > anyone with a valid Google account to be able to login, but only
> those with
> > > > > > existing accounts.  However, any attempt to create a custom flow
> without
> > > > > > the "Create User If Unique" item leads to an
> error=invalid_user_credentials.
> > > > > >
> > > > > > Is there some solution that would allow me to prevent users
> without an
> > > > > > existing account to login via the Google identity provider?
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > >
> > >
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: script-auth-setup.sh.zip
Type: application/zip
Size: 1383 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190118/78922ebb/attachment.zip 