[keycloak-user] Password less keycloak with OIDC Federation

Łukasz Dywicki luke at code-house.org
Fri Feb 8 05:59:11 EST 2019

Hash: SHA256

I went through code, found a "RealmBean.isPassword" method and after
few moments of sniffing managed to find solution. It is necessary to
disable username password form in browser flow.
By disabling username password form and having Identity Provider
Redirector in place pinned to my favorite service I get automatic
redirect to external IdP. What is interesting - leaving unconfigured
IdP redirector caused troubles.

Second part of process is still relevant and big mistery - how to
avoid creation of account in keycloak and how to make

Best regards,
- --

On 08.02.2019 01:38, luke at code-house.org wrote:
> Hi all, I’ve been going through new Keycloak use case and ran into
> situation where I am not certain which SPI or API to use. First of
> all, I would like users to not have any passwords and don't see
> Keycloak by most of time. I already confirmed that such state can
> be achieved with extra parameters for authorisation and identity
> brokering links which is great.
> Second part of scenario goes as follow: 1. I have external IdP
> which I trust entirely, let say google. 2. I don’t want to store
> user accounts - google does it well. 3. Keycloak is token mapper
> with possibility to store extra attributes. 4. Any personal
> information should be pseudo-anonymised (GDPR) 5. It would be great
> if I could log in user automatically with provider token sent to my
> service.
> I wen’t over developer docs and administration too. There is a
> paragraph about user federation and storage and few sentences about
> importing users. Based on these I can not really determine which
> one should I follow. I do not want to import users as there might
> be quite a lot of them. Copying entire profile information will
> occupy a lot of space and require syncing which I do not really
> want to do.
> Assuming that I will manage to get user federation (with no import)
> based on social broker login, will it be abuse of keycloak
> abilities? Will keycloak behave properly, if I will mock him down
> in a way that when identity broker asks about federated account -
> it will always get copy of its own data back? I found some points
> to use custom Authenticator, however I am not sure if it’s gonna
> fly as I haven’t found any confirmation that such way will actually
> work.
> Kind regards, Łukasz — Code-House http://code-house.org


More information about the keycloak-user mailing list