Indeed that what I finally did. Simple solutions sometimes slip my mind.
Was looking for too complex :)
On Tue, Jan 3, 2017 at 6:24 PM Bill Burke <bburke(a)redhat.com> wrote:
You could do it in a servlet filter.
On 1/3/17 10:09 AM, David Delbecq wrote:
> Hello,
> I'm trying to find out the best way to migrate one of our current
behaviour
> to a keycloak based installation.
>
> We currently have a many to one relationship between user account and
> companies. A company can have multiple users in the application. We need
to
> be able to disable a complete company on one application. What is the
best
> approach to doing this?
>
> I tried (and failed) to create an additional required login module in
> wildfly and have this return false on login() if company has not been
> enabled in application. It seems that when you come with a bearer token,
> you don't go into login modules (neither mine nor the keycloak one), you
> are just immediately recognized by subsystem which then bypass the jaas
> login modules of keycloak.
>
> I can't just disable the users, as they still need to be able to log in
on
> our other applications.
>
> I was thinking into using Groups in keycloak, one for each
> company&application combo and add / remove an automatic required role to
> block access to disabled companies. But it means a double maintenance
> between keycloak and our internal database to maintain the list of
> companies.
>
> Is there someway to tap in the the wildfly keycloak subsystem to veto
valid
> authentications?
>
> thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
<
http://www.trimble.com/>
David Delbecq
Software engineer, Transport & Logistics
Geldenaaksebaan 329, 1st floor | 3001 Leuven
+32 16 391 121 <+32%2016%20391%20121> Direct
david.delbecq(a)trimbletl.com
<
http://www.trimbletl.com/>