How to intercept login to keycloak via IDP?

[Maxim Kopeyka]

Hi all,

I would like to remove existing user from keycliak db in case he logins in via IDP. I created authenticator and it works fine in case of “first broker login” but it doesn’t trigger in case it’s not first broker login. I tried to add it to browser flow but it doesn’t help.

The main idea to create a new user every time in case user with the same username already exists.

[Alvaro Arenas]

Hi,

I am not an expert but one way you can achieve this is by creating a custom mapper which you add to you idp.

The mapper has a method called preprocessFederatedIdentity() where you have access to the idp id (or email)

preprocessFederatedIdentity()
* Called to determine what keycloak username and email to use to process the login request from the external IDP.
* It's called before "FirstBrokerLogin" flow, so can be used to map attributes to BrokeredIdentityContext (
* BrokeredIdentityContext.setUserAttribute ),
* which will be available on "Review Profile" page and in authenticators during FirstBrokerLogin flow

You can use that to find your user and delete it. For that there is a method in the KeycloakSession object session.users().removeUser().

I am curious what is the use case to delete the user every time it will log in. It is quite counterintuitive.

I hope it helps,

Alvaro

[Maxim Kopeyka]

Thanks a lot, it works in this way :)

[Ronaldo Hideki Yamada]

Hi,

Put your developed authenticator  in post login flow. 

Create a flow, register them on IDP, them KC will call.

[Maxim Kopeyka]

I tried this solution but keycloak throws error because that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it so deleting of this user causes exception.