[keycloak-user] manipulate IdP attributes in authentication script

Geoffrey Cleaves geoff at opticks.io
Fri Dec 14 05:53:29 EST 2018


Cris, it's probably too late for you, but Dmitry Telegin has answered our
burning question. See code below for tips:

AuthenticationFlowError =
Java.type("org.keycloak.authentication.AuthenticationFlowError");

// take a look at org.keycloak.broker.provider.BrokeredIdentityContext to
figure out what else you can obtain from that object.
SerializedBrokeredIdentityContext =
Java.type("org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext");
AbstractIdpAuthenticator =
Java.type("org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator");
Response = Java.type("javax.ws.rs.core.Response");
MediaType = Java.type("javax.ws.rs.core.MediaType");
response = Response.status(401).entity("<h1>You must have an existing
account to log in.</h1>").type(MediaType.TEXT_HTML_TYPE).build();
users = session.users().getUsers(realm, false);

function authenticate(context) {
    var serializedCtx =
SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession,
AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
    var biCtx = serializedCtx.deserialize(session, authenticationSession);
    var idpUsername = biCtx.username;
    LOG.info("username = " + idpUsername);
    LOG.info("alias = " + biCtx.idpConfig.alias);

    for(var u in users) {
        //LOG.info("u = " + users[u].getEmail());
        if(idpUsername===users[u].getEmail()) {
            context.success();
            return;
        }
    }

    context.failure(AuthenticationFlowError.USER_DISABLED, response);
    return;
}


On Fri, 14 Dec 2018 at 08:41, Cristóvão Cordeiro <
cristovao.cordeiro at sixsq.com> wrote:

> Hi, no sorry.
>
> Best regards,
>
> *Cristóvão Cordeiro*
>
>
> On Thu, 13 Dec 2018 at 17:59, Geoffrey Cleaves <geoff at opticks.io> wrote:
>
>> Hi Cristovao, did you ever figure this out?
>>
>> ----
>> > Hi,
>>
>> I'd like to know if it is possible to add a Script execution to "first
>> broker login" and somehow manipulate (set/see/etc...) the user's IdP
>> information?
>>
>> I'm asking this cause my Identity Provider is a federation (like eduGAIN),
>> and I am having issues when users use the same credentials in 2 different
>> IdPs...in Keycloak all attributes will be the same except the
>> identity_provider_id which will cause a conflict (violates unique_id
>> constraint) with the already existing user account in Keycloak, which
>> already has a link to that Keycloak IdP (which in practice is a federation).
>>
>> Best regards,
>> Cris
>>
>>
>>

-- 

Regards,
Geoffrey Cleaves


More information about the keycloak-user mailing list