[keycloak-dev] Authentication SPI - Pinning the IDP

luke at code-house.org luke at code-house.org
Thu Feb 7 19:27:02 EST 2019

I come across same issue, have you any found solution?

Best regards,

> On 9 Nov 2018, at 11:11, gambol <gambol99 at gmail.com> wrote:
> Hiya
> Hopefully someone know's a way around this ..
> We have a requirement to pin a keycloak client to a specific group of login
> options i.e. they can only login via a social provider and not a local
> username/password, BUT we also wish to allow certain users the ability to
> override the behavior. I mocked up authenticator which used the
> IdentityProviderSpi.IDENTITY_PROVIDER_SPI_NAME checked it against the a
> configurable list for the authenticator and also looked for a user override
> attribute. Now on first login that works fine, but as the access token
> comes up for refresh the IdentityProviderSpi.IDENTITY_PROVIDER_SPI_NAME is
> not retained (i guess because it's now a sso session refresh and not a
> login) and so the authenticator throws the error message.
> Is it possible to hook into login only? .. Anyone think of another way
> around it? :-) .. I tried using SetClientNotes / SetAuthNote to retain the
> logged in provider, but that doesn't appear to work either.
> Disclaimer: I know the official stance would be the IDP provides
> authentication only with authorization handled by the application end, but
> in many case's third party applications can't support this .. so was hoping
> we could control it at source.
> Rohith
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list