4:09 p.m.
Hello,
I'm trying to find out the best way to migrate one of our current behaviour
to a keycloak based installation.
We currently have a many to one relationship between user account and
companies. A company can have multiple users in the application. We need to
be able to disable a complete company on one application. What is the best
approach to doing this?
I tried (and failed) to create an additional required login module in
wildfly and have this return false on login() if company has not been
enabled in application. It seems that when you come with a bearer token,
you don't go into login modules (neither mine nor the keycloak one), you
are just immediately recognized by subsystem which then bypass the jaas
login modules of keycloak.
I can't just disable the users, as they still need to be able to log in on
our other applications.
I was thinking into using Groups in keycloak, one for each
company&application combo and add / remove an automatic required role to
block access to disabled companies. But it means a double maintenance
between keycloak and our internal database to maintain the list of
companies.
Is there someway to tap in the the wildfly keycloak subsystem to veto valid
authentications?
thank you.
--
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq(a)trimbletl.com
<http://www.trimbletl.com/>
6:20 p.m.
You could do it in a servlet filter.
On 1/3/17 10:09 AM, David Delbecq wrote:
Hello,
I'm trying to find out the best way to migrate one of our current behaviour
to a keycloak based installation.
We currently have a many to one relationship between user account and
companies. A company can have multiple users in the application. We need to
be able to disable a complete company on one application. What is the best
approach to doing this?
I tried (and failed) to create an additional required login module in
wildfly and have this return false on login() if company has not been
enabled in application. It seems that when you come with a bearer token,
you don't go into login modules (neither mine nor the keycloak one), you
are just immediately recognized by subsystem which then bypass the jaas
login modules of keycloak.
I can't just disable the users, as they still need to be able to log in on
our other applications.
I was thinking into using Groups in keycloak, one for each
company&application combo and add / remove an automatic required role to
block access to disabled companies. But it means a double maintenance
between keycloak and our internal database to maintain the list of
companies.
Is there someway to tap in the the wildfly keycloak subsystem to veto valid
authentications?
thank you.
1:06 p.m.
Indeed that what I finally did. Simple solutions sometimes slip my mind.
Was looking for too complex :)
On Tue, Jan 3, 2017 at 6:24 PM Bill Burke <bburke(a)redhat.com> wrote:
You could do it in a servlet filter.
On 1/3/17 10:09 AM, David Delbecq wrote:
> Hello,
> I'm trying to find out the best way to migrate one of our current
behaviour
> to a keycloak based installation.
>
> We currently have a many to one relationship between user account and
> companies. A company can have multiple users in the application. We need
to
> be able to disable a complete company on one application. What is the
best
> approach to doing this?
>
> I tried (and failed) to create an additional required login module in
> wildfly and have this return false on login() if company has not been
> enabled in application. It seems that when you come with a bearer token,
> you don't go into login modules (neither mine nor the keycloak one), you
> are just immediately recognized by subsystem which then bypass the jaas
> login modules of keycloak.
>
> I can't just disable the users, as they still need to be able to log in
on
> our other applications.
>
> I was thinking into using Groups in keycloak, one for each
> company&application combo and add / remove an automatic required role to
> block access to disabled companies. But it means a double maintenance
> between keycloak and our internal database to maintain the list of
> companies.
>
> Is there someway to tap in the the wildfly keycloak subsystem to veto
valid
> authentications?
>
> thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
<http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq(a)trimbletl.com
<http://www.trimbletl.com/>
2656
days inactive
2663
days old
2 comments
2 participants
participants (2)
-
Bill Burke -
David Delbecq