Hello,
I'm facing difficulties implementing a specific requirement using Keycloak. Since
searches on the topic also came up empty I'm hoping someone could shed some insight
into how I can approach the following situation:
We have a Keycloak realm containing user accounts that can access several clients also
within the same realm, all pretty standard. This realm also has a federated identity
provider (using OpenID Connect) which can be linked to the local accounts and for which
external claims are mapped to local user attributes.
One of our client applications requires the attributes from the external identity provider
to be present, which may not be the case if the user hasn't set up the account link
yet (through explicit linking or brokered login). Also from a strategic point of view we
want to encourage users to log in using their local accounts instead of the external
accounts (we're using this construction as a first step to migrate away from the
external IDP).
Now I'm tasked with the challenge to come up with a login flow that after a normal
local login (form+OTP) checks if the link to the external account is present and if not,
present the user with the choice to set up the link there and then as part of the login
flow. I've tried:
- Implementing a custom authenticator that checks if the IDP link is present. Combined
with the IDP redirector authenticator I'm able to force a login at the external IDP.
After being redirected back to Keycloak the user enters the first broker login flow,
however any kind of customization there doesn't seem to allow me to link the external
account to the existing local account without re-authentication (which doesn't make
sense from a user point of view because he or she just logged in to the local account).
- It occurred to me that a required action might be a more suitable solution, however
Keycloak doesn't appear to offer such functionality out of the box and so far I've
come up blank as to how to implement this specific use case as a required action.
As for my questions:
1) What would be the best way to approach this specific use case using Keycloak? Or
perhaps there's a good reason why I should avoid this situation that I haven't
spotted yet?
2) Assuming customization is required: could someone share some pointers as to how to
implement the account linking as a required login step? I've implemented my fair share
of required actions and authenticators, so I'm familiar with the basics.
Thank you, any insights are greatly appreciated!
Regards,
Erik