[keycloak-dev] Authentication SPI - Pinning the IDP

Alexis Almeida alexis.almeida at gmail.com
Sat Feb 9 19:15:56 EST 2019

> We have a requirement to pin a
> keycloak client to a specific group of
> login options i.e. they can only login via
> a social provider and not a local
> username/password, BUT we also
> wish to allow certain users the ability
> to override the behavior.


Hi Rohith,

I think you could solve this problem putting an alternative authenticator
provider between the "Identity Provider Redirector" and the "User and
password form" authenticator in browser flow.

In your provider you can implement all of the rules to check if you must or
not accept login with local user/password.

If the user bypass social login you can catch it in your provider and force
a fail If itsn't allowed.

I've done something like that using a provider that only requires OTP in
some applications.



More information about the keycloak-dev mailing list