Unfortunately I didn't find a solution, though we've not moved off v4.5.0
yet so hoping something is in the latest or the very least on the horizon
On Fri, Feb 8, 2019, 12:27 AM <luke(a)code-house.org wrote:
I come across same issue, have you any found solution?
> On 9 Nov 2018, at 11:11, gambol <gambol99(a)gmail.com> wrote:
> Hopefully someone know's a way around this ..
> We have a requirement to pin a keycloak client to a specific group of
> options i.e. they can only login via a social provider and not a local
> username/password, BUT we also wish to allow certain users the ability to
> override the behavior. I mocked up authenticator which used the
> IdentityProviderSpi.IDENTITY_PROVIDER_SPI_NAME checked it against the a
> configurable list for the authenticator and also looked for a user
> attribute. Now on first login that works fine, but as the access token
> comes up for refresh the IdentityProviderSpi.IDENTITY_PROVIDER_SPI_NAME
> not retained (i guess because it's now a sso session refresh and not a
> login) and so the authenticator throws the error message.
> Is it possible to hook into login only? .. Anyone think of another way
> around it? :-) .. I tried using SetClientNotes / SetAuthNote to retain
> logged in provider, but that doesn't appear to work either.
> Disclaimer: I know the official stance would be the IDP provides
> authentication only with authorization handled by the application end,
> in many case's third party applications can't support this .. so was
> we could control it at source.
> keycloak-dev mailing list