[keycloak-user] How do I get external IDP attributes in custom JS auth flow during broker first login? (I bet Dmitry knows :)

Geoffrey Cleaves geoff at opticks.io
Fri Dec 14 05:49:09 EST 2018 

Thanks Dmitry, I never in a 1000 years would have figured this out.

My goal with all of this is to only allow a user to log in with Google (or
other provider) if there is already an account created with the same email
address. My code below works, but instead of returning an entire custom
page on failure, it would be nice to use the existing template with simply
a different text. I hate to abuse of your free time, but if you have any
tips for that I would be most appreciative.

AuthenticationFlowError =
Java.type("org.keycloak.authentication.AuthenticationFlowError");

// take a look at org.keycloak.broker.provider.BrokeredIdentityContext to
figure out what else you can obtain from that object.

SerializedBrokeredIdentityContext =
Java.type("org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext");
AbstractIdpAuthenticator =
Java.type("org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator");
Response = Java.type("javax.ws.rs.core.Response");
MediaType = Java.type("javax.ws.rs.core.MediaType");
response = Response.status(401).entity("<h1>You must have an existing
account to log in.</h1>").type(MediaType.TEXT_HTML_TYPE).build();
users = session.users().getUsers(realm, false);

function authenticate(context) {
    var serializedCtx =
SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession,
AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
    var biCtx = serializedCtx.deserialize(session, authenticationSession);
    var idpUsername = biCtx.username;
    LOG.info("username = " + idpUsername);
    LOG.info("alias = " + biCtx.idpConfig.alias);

    for(var u in users) {
        //LOG.info("u = " + users[u].getEmail());
        if(idpUsername===users[u].getEmail()) {
            context.success();
            return;
        }
    }

    context.failure(AuthenticationFlowError.USER_DISABLED, response);
    return;
}


On Fri, 14 Dec 2018 at 01:34, Dmitry Telegin <dt at acutus.pro> wrote:

> Hello Geoffrey,
>
> I was right about to click Send when I finally noticed that statement in
> parentheses :-D you were 100% right, what else can I say :)
>
> Here we go, try this snippet:
>
> SerializedBrokeredIdentityContext =
> Java.type("org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext");
> AbstractIdpAuthenticator =
> Java.type("org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator");
>
> function authenticate(context) {
>
>     var serializedCtx =
> SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession,
> AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
>
>     var biCtx = serializedCtx.deserialize(session, authenticationSession);
>
>     LOG.info(biCtx.username);
>     LOG.info(biCtx.idpConfig.alias);
>
>     context.success();
>
> }
>
> Also take a look at org.keycloak.broker.provider.BrokeredIdentityContext
> to figure out what else you can obtain from that object.
>
> Good luck :)
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Thu, 2018-12-13 at 14:31 +0100, Geoffrey Cleaves wrote:
> > Hello. I have a simple JS execution which denies access as the first step
> > of the first broker login flow. I would like to access some of the
> > attributes that Keycloak writes out to the log when executing this flow
> > (see below)
> >
> > What objects or variables must my JS execution load in order to get the
> > identity_provider_identity attribute listed below?
> >
> > 20:29:56,588 WARN  [org.keycloak.events] (default task-527)
> > type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=re, clientId=tblic,
> > userId=null, ipAddress=90., error=user_not_found,
> identity_provider=google,
> > auth_method=openid-connect, redirect_uri=
> http://localhost:8222?clientid=tic,
> > identity_provider_identity=user at gmail.com, code_id=b07317fdb
> >
> > Thanks in advance!
> >
> > Geoff
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 

Regards,
Geoffrey Cleaves

More information about the keycloak-user mailing list