Hello Keycloak Develops,
users that are created via Identity Brokering seem to have the
account:manage-account role by default, due to the configured
default roles.
Since those accounts are usually managed by the external IdP it could
make sense to disable access to the account app for those users.
A simple way to do this is to remove the manage-account role for the account
app from those users. It would be great if the IdP configuration would
support toggling account management access (on, off).
A more generic way to do this would be to have support
for disabling the usage of default roles for user created by the IdP
whilst allowing explicit role configuration.
Do you see any problems with this?
Cheers,
Thomas