[keycloak-user] remove permission to a group of users (veto keycloak auth)

[Bill Burke]

You could do it in a servlet filter.


On 1/3/17 10:09 AM, David Delbecq wrote:
> Hello,
> I'm trying to find out the best way to migrate one of our current behaviour
> to a keycloak based installation.
>
> We currently have a many to one relationship between user account and
> companies. A company can have multiple users in the application. We need to
> be able to disable a complete company on one application. What is the best
> approach to doing this?
>
> I tried (and failed) to create an additional required login module in
> wildfly and have this return false on login() if company has not been
> enabled in application. It seems that when you come with a bearer token,
> you don't go into login modules (neither mine nor the keycloak one), you
> are just immediately recognized by subsystem which then bypass the jaas
> login modules of keycloak.
>
> I can't just disable the users, as they still need to be able to log in on
> our other applications.
>
> I was thinking into using Groups in keycloak, one for each
> company&application combo and add / remove an automatic required role to
> block access to disabled companies. But it means a double maintenance
> between keycloak and our internal database to maintain the list of
> companies.
>
> Is there someway to tap in the the wildfly keycloak subsystem to veto valid
> authentications?
>
> thank you.