5:45 p.m.
Hi Marek,
You absolutely right, UsernamePasswordForm does the trick. However, the login screen
rendered by UsernamePasswordForm is different from that of IdpUsernamePasswordForm in the
following aspects:
- IdpUsernamePasswordForm doesn't display the block with IdP/social buttons;
- IdpUsernamePasswordForm renders the message relevant to IdP-linking-by-reauthentication,
which is this:
federatedIdentityConfirmReauthenticateMessage=Authenticate as {0} to link your account
with {1}
So, my requirement is to implement the appearance of IdpUsernamePasswordForm + behavior of
UsernamePasswordForm. I think this could be done either by augmenting the former, or by
merging the two authenticators into a unified one, that would exhibit different behavior
depending on the context (normal login vs. reauthentication for IdP linking).
Please let me know which way seems better for you, with the idea in mind of having this
contributed to upstream.
Thanks!
Dmitry
On Tue, 2019-04-02 at 15:21 +0200, Marek Posolda wrote:
On 28/03/2019 17:06, Dmitry Telegin wrote:
> Hi,
>
> I'm currently working to implement the following requirements:
> - users are managed externally via LDAP, self-registrations disabled;
> - there is an external IdP;
> - generally, there is no way to automatically match IdP identity with Keycloak's
one, so IdP linking will always be performed by the user manually;
> - in order to do that, the user should click the IdP icon in the login screen,
authenticate with the IdP, get back to Keycloak and "claim" his/her Keycloak
account by entering correct username and password.
>
> Currently, the closest thing in Keycloak is
o.k.authentication.authenticators.broker.IdpUsernamePasswordForm (aka
"idp-username-password-form", aka "Username Password Form for identity
provider reauthentication").
> However, it 1) prefills username field and makes it non-editable, 2) depends on the
preceding IdpCreateUserIfUniqueAuthenticator execution to provide existing user model
(EXISTING_USER_INFO auth note).
>
> My proposal is to improve IdpUsernamePasswordForm by allowing its execution even
without the preceding IdpCreateUserIfUniqueAuthenticator. In the absence of
EXISTING_USER_INFO, IdpUsernamePasswordForm should allow the user to manually enter
username.
I wonder if you can't already achieve something like this with the OOTB
authenticator implementations, but just correctly configure them? For
example in the "First Broker Login" flow used for your identity
provider, you can just directly use the default browser-based
authenticator ( UsernamePasswordForm ) instead of the
IdpUsernamePasswordForm. That way, the username+password form will be
always shown for "First Broker Login" and once user authenticates, his
account will be linked with IdP account.
Marek
>
> Please let me know if you think it's worth having this in Keycloak. Regards,
> Dmitry
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev