[keycloak-user] brokered-login only

pkboucher801 at gmail.com pkboucher801 at gmail.com
Wed Jun 27 14:07:45 EDT 2018


Hi MJ,

Not that I'm not affiliated with  https://github.com/ohioit/keycloak-link-idp-with-user .  You could use it, but you would have to make some tweaks to get it to work with the newer Keycloak.

Note also that I'm not affiliated with Keycloak, either, but the question of whether to just tweak the theme to remove the username and password, or do what Marek describes in the quoted text below, depends on your use case, in my opinion.  

Is it just for convenience and reduced confusion that you want to prevent showing the username and password form to the users and show them instead only buttons for the available brokered login methods?  If so, then a theme change would probably be fine.

Would it be a violation of your security policy if a hacker users used fiddler or somesuch to tweak what the browser sends in order to login anyway with a username and password, even though you didn't include that form on your login Freemarker page?  Then you'll probably want to change the flow itself as Marek suggests, to block that from happening.

> If you need to just override themes, you may not need to override 
> authentication flow. But if you need to override UsernamePassword 
> Authenticator and change the implementation, so that it doesn't allow 
> to login with username/password at all, then you will need to add this 
> authenticator implementation into new browser authentication flow. 
> Maybe instead of overriding UsernamePassword authenticator, it's 
> easier to create new implementation of authenticator, which will just 
> show the Freemarker form with links to brokers (No username/password). 
> In that case you will also need to create new authentication flow and 
> add that new authenticator implementation to it.
> 
> Marek

Regards,
Peter

-----Original Message-----
From: lists [mailto:lists at merit.unu.edu] 
Sent: Tuesday, June 26, 2018 3:49 AM
To: keycloak-user at lists.jboss.org
Cc: pkboucher801 at gmail.com
Subject: Re: [keycloak-user] brokered-login only

Hi Peter,

On 25-6-2018 15:38, pkboucher801 at gmail.com wrote:
> You will need auto-linking of IDP to internal account as well, so they 
> won't be asked for their password in order to approve linking their 
> Keycloak account to the IDP.

Regarding this auto-linking: I understand what you mean. Are you talking about this:

https://github.com/ohioit/keycloak-link-idp-with-user

Or is this functionality implemented in keycloak nowadays? (since the plugin above appears to be unmaintained...)

MJ




More information about the keycloak-user mailing list