Hi MJ,
Not that I'm not affiliated with
https://github.com/ohioit/keycloak-link-idp-with-user . You could use it, but you would
have to make some tweaks to get it to work with the newer Keycloak.
Note also that I'm not affiliated with Keycloak, either, but the question of whether
to just tweak the theme to remove the username and password, or do what Marek describes in
the quoted text below, depends on your use case, in my opinion.
Is it just for convenience and reduced confusion that you want to prevent showing the
username and password form to the users and show them instead only buttons for the
available brokered login methods? If so, then a theme change would probably be fine.
Would it be a violation of your security policy if a hacker users used fiddler or somesuch
to tweak what the browser sends in order to login anyway with a username and password,
even though you didn't include that form on your login Freemarker page? Then
you'll probably want to change the flow itself as Marek suggests, to block that from
happening.
If you need to just override themes, you may not need to override
authentication flow. But if you need to override UsernamePassword
Authenticator and change the implementation, so that it doesn't allow
to login with username/password at all, then you will need to add this
authenticator implementation into new browser authentication flow.
Maybe instead of overriding UsernamePassword authenticator, it's
easier to create new implementation of authenticator, which will just
show the Freemarker form with links to brokers (No username/password).
In that case you will also need to create new authentication flow and
add that new authenticator implementation to it.
Marek
Regards,
Peter
-----Original Message-----
From: lists [mailto:lists@merit.unu.edu]
Sent: Tuesday, June 26, 2018 3:49 AM
To: keycloak-user(a)lists.jboss.org
Cc: pkboucher801(a)gmail.com
Subject: Re: [keycloak-user] brokered-login only
Hi Peter,
On 25-6-2018 15:38, pkboucher801(a)gmail.com wrote:
You will need auto-linking of IDP to internal account as well, so
they
won't be asked for their password in order to approve linking their
Keycloak account to the IDP.
Regarding this auto-linking: I understand what you mean. Are you talking about this:
https://github.com/ohioit/keycloak-link-idp-with-user
Or is this functionality implemented in keycloak nowadays? (since the plugin above appears
to be unmaintained...)
MJ