Thanks very much Marek and Thomas for taking the time to get back to me.
I've found an example of a JS authenticator here:
Is this how I would build the custom authenticator, and extend it to check
the user roles and clientID?
Thanks
Shane
On 24 Feb. 2017 01:25, "Thomas Darimont" <thomas.darimont(a)googlemail.com>
wrote:
Hello Shane,
you could try to do that with the Javascript based Authenticator.
Cheers,
Thomas
2017-02-23 14:07 GMT+01:00 Marek Posolda <mposolda(a)redhat.com>:
> I can think of some workarounds. Like for example, create an
> Authenticator, which will be added to the bottom of the authentication
> flow. Authenticator will throw an exception in case that unpermitted
> user is trying to authenticate to the client corresponding to your
> openshift application. You have the user available (he is already
> authenticated) and you have also the client (can be determined based on
> clientId).
>
> Maybe even easier is to do that in custom RequiredActionProvider and do
> this check in "evaluateTriggers".
>
> This is workaround as it mixes authentication and authorization (among
> other issues). But hopefully it can suit your needs.
>
> Marek
>
> On 23/02/17 07:19, Shane Boulden wrote:
> > Hi everyone,
> >
> > I'm trying to figure out a fairly straight-forward problem set -
> >
> > - I have a number of users in a Keycloak database, federated from an
> > LDAP provider with a READ_ONLY policy (ie; I can't "disable"
the
> users)
> > - I want to limit access to a client to only certain Keycloak users
> >
> > I thought this would be possible with a role that is shared by the
> client
> > and the user. However, it looks like Keycloak lets the application
> itself
> > determine access via a role:
http://lists.jboss.org/
> > pipermail/keycloak-user/2014-November/001205.html
> >
> > But what if I can't update the application's behaviour? Eg; if I want
to
> > integrate Keycloak with OpenShift, and OpenShift doesn't consume any
> > information from the OIDC provider?
> >
> > In this particular example, I don't want to limit the users in the
> Keycloak
> > database - I want to sync all users from LDAP, but limit application
> access
> > to only a subset.
> >
> > Any assistance is greatly appreciated.
> >
> > Shane
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>