Reputation: 23
Keycloak authenticatoin flow - script after Identity Provider Redirector
For my project, I have users present in my Keycloak with their Identity Provider Link User ID properly set. Some of these users have no role set for my project's client. These users are logged in (because they have a valid Google Account) to my application and then the application has to manage the fact that they should not access the app (because they have no role). What I would like is to tell keycloak not to redirect to my app if a user has no role. I have already done this for the Username Password Form (using a script, see below the script code) but I can't succeed doing this with Identity Provider Redirector, the script after it seems not to be executed (redirection seems to happen in the Identity Provider Redirector).
Thanks in advance for any help,
Edit : the script that works for Username Password form :
/*
* Template for JavaScript based authenticators.
* See org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticatorFactory
*/
// import enum for error lookup
AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError");
UserCredentialModel = Java.type("org.keycloak.models.UserCredentialModel");
Errors = Java.type("org.keycloak.events.Errors");
OAuth2ErrorRepresentation = Java.type("org.keycloak.representations.idm.OAuth2ErrorRepresentation");
MediaType = Java.type("javax.ws.rs.core.MediaType");
Response = Java.type("javax.ws.rs.core.Response");
FormMessage = Java.type('org.keycloak.models.utils.FormMessage');
/**
* An example authenticate function.
*
* The following variables are available for convenience:
* user - current user {@see org.keycloak.models.UserModel}
* realm - current realm {@see org.keycloak.models.RealmModel}
* session - current KeycloakSession {@see org.keycloak.models.KeycloakSession}
* httpRequest - current HttpRequest {@see org.jboss.resteasy.spi.HttpRequest}
* script - current script {@see org.keycloak.models.ScriptModel}
* authenticationSession - current authentication session {@see org.keycloak.sessions.AuthenticationSessionModel}
* LOG - current logger {@see org.jboss.logging.Logger}
*
* You one can extract current http request headers via:
* httpRequest.getHttpHeaders().getHeaderString("Forwarded")
*
* @param context {@see org.keycloak.authentication.AuthenticationFlowContext}
*/
function authenticate(context) {
var username = user ? user.username : "anonymous";
LOG.info(script.name + " trace auth for: " + username + " " + session.getContext().getClient().getClientId());
var client = session.getContext().getClient();
var rolesClient = user.getClientRoleMappings(client);
if (rolesClient.isEmpty()) {
context.forkWithErrorMessage(new FormMessage('label', 'Utilisateur non autorisé'));
return;
}
context.success();
}
Upvotes: 2
Views: 5169
Answers (1)
Reputation: 426
I had this same problem on my project. I managed to solve it with a "Post Login Flow" on the identity provider.
The steps I had to do was:
- Create a new Flow with one execution script (here you can paste your script).
- Go to the identity provider. Under the field "Post Login Flow" select the flow from 1.
I hope this solves your problem as well
Upvotes: 7
Related Questions
- Unable to redirect back to application page after keycloak login
- Keycloak: How to login only through identity provider
- keycloak redirect to external service and continuous flow
- Keycloak: Bypass an authenticator flow
- Keycloak flow to allow only authorized IDP accounts
- Keycloak - Oauth-2 Authentication Flow
- Auto-Login with PKCE Code Flow using angular-auth-oidc-client
- How to change identity provider callback URL in Keycloak
- Standalone Keycloak as Identity-Provider causing error during login
- IdentityServer4 how to redirect the flow after login