4:11 a.m.
Hiya
Hopefully someone know's a way around this ..
We have a requirement to pin a keycloak client to a specific group of login
options i.e. they can only login via a social provider and not a local
username/password, BUT we also wish to allow certain users the ability to
override the behavior. I mocked up authenticator which used the
IdentityProviderSpi.IDENTITY_PROVIDER_SPI_NAME checked it against the a
configurable list for the authenticator and also looked for a user override
attribute. Now on first login that works fine, but as the access token
comes up for refresh the IdentityProviderSpi.IDENTITY_PROVIDER_SPI_NAME is
not retained (i guess because it's now a sso session refresh and not a
login) and so the authenticator throws the error message.
Is it possible to hook into login only? .. Anyone think of another way
around it? :-) .. I tried using SetClientNotes / SetAuthNote to retain the
logged in provider, but that doesn't appear to work either.
Disclaimer: I know the official stance would be the IDP provides
authentication only with authorization handled by the application end, but
in many case's third party applications can't support this .. so was hoping
we could control it at source.
Rohith
6:27 p.m.
I come across same issue, have you any found solution?
Best regards,
Łukasz
On 9 Nov 2018, at 11:11, gambol <gambol99(a)gmail.com> wrote:
Hiya
Hopefully someone know's a way around this ..
We have a requirement to pin a keycloak client to a specific group of login
options i.e. they can only login via a social provider and not a local
username/password, BUT we also wish to allow certain users the ability to
override the behavior. I mocked up authenticator which used the
IdentityProviderSpi.IDENTITY_PROVIDER_SPI_NAME checked it against the a
configurable list for the authenticator and also looked for a user override
attribute. Now on first login that works fine, but as the access token
comes up for refresh the IdentityProviderSpi.IDENTITY_PROVIDER_SPI_NAME is
not retained (i guess because it's now a sso session refresh and not a
login) and so the authenticator throws the error message.
Is it possible to hook into login only? .. Anyone think of another way
around it? :-) .. I tried using SetClientNotes / SetAuthNote to retain the
logged in provider, but that doesn't appear to work either.
Disclaimer: I know the official stance would be the IDP provides
authentication only with authorization handled by the application end, but
in many case's third party applications can't support this .. so was hoping
we could control it at source.
Rohith
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:50 a.m.
Hi Luke
Unfortunately I didn't find a solution, though we've not moved off v4.5.0
yet so hoping something is in the latest or the very least on the horizon
:-(
Rohith
On Fri, Feb 8, 2019, 12:27 AM <luke(a)code-house.org wrote:
I come across same issue, have you any found solution?
Best regards,
Łukasz
> On 9 Nov 2018, at 11:11, gambol <gambol99(a)gmail.com> wrote:
>
> Hiya
>
> Hopefully someone know's a way around this ..
>
> We have a requirement to pin a keycloak client to a specific group of
login
> options i.e. they can only login via a social provider and not a local
> username/password, BUT we also wish to allow certain users the ability to
> override the behavior. I mocked up authenticator which used the
> IdentityProviderSpi.IDENTITY_PROVIDER_SPI_NAME checked it against the a
> configurable list for the authenticator and also looked for a user
override
> attribute. Now on first login that works fine, but as the access token
> comes up for refresh the IdentityProviderSpi.IDENTITY_PROVIDER_SPI_NAME
is
> not retained (i guess because it's now a sso session refresh and not a
> login) and so the authenticator throws the error message.
>
> Is it possible to hook into login only? .. Anyone think of another way
> around it? :-) .. I tried using SetClientNotes / SetAuthNote to retain
the
> logged in provider, but that doesn't appear to work either.
>
> Disclaimer: I know the official stance would be the IDP provides
> authentication only with authorization handled by the application end,
but
> in many case's third party applications can't support this .. so was
hoping
> we could control it at source.
>
> Rohith
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
2148
days inactive
2239
days old
2 comments
2 participants
participants (2)
-
gambol -
luke@code-house.org