[keycloak-dev] Proposal: Improvements to IdpUsernamePasswordForm
Dmitry Telegin
demetrio at carretti.pro
Thu Mar 28 12:06:44 EDT 2019
Hi,
I'm currently working to implement the following requirements:
- users are managed externally via LDAP, self-registrations disabled;
- there is an external IdP;
- generally, there is no way to automatically match IdP identity with Keycloak's one, so IdP linking will always be performed by the user manually;
- in order to do that, the user should click the IdP icon in the login screen, authenticate with the IdP, get back to Keycloak and "claim" his/her Keycloak account by entering correct username and password.
Currently, the closest thing in Keycloak is o.k.authentication.authenticators.broker.IdpUsernamePasswordForm (aka "idp-username-password-form", aka "Username Password Form for identity provider reauthentication").
However, it 1) prefills username field and makes it non-editable, 2) depends on the preceding IdpCreateUserIfUniqueAuthenticator execution to provide existing user model (EXISTING_USER_INFO auth note).
My proposal is to improve IdpUsernamePasswordForm by allowing its execution even without the preceding IdpCreateUserIfUniqueAuthenticator. In the absence of EXISTING_USER_INFO, IdpUsernamePasswordForm should allow the user to manually enter username.
Please let me know if you think it's worth having this in Keycloak. Regards,
Dmitry
More information about the keycloak-dev
mailing list