Keycloak as an identity broker, using social identity providers
77 views
Skip to first unread message
Polina Koornneef
Oct 9, 2022, 3:54:41 AM10/9/22
to Keycloak User
Hello!
AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError"); function authenticate(context) { LOG.info(script.name + " --> trace auth for: " + user.username); if ( user.username === "tester" && user.getAttribute("someAttribute") && user.getAttribute("someAttribute").contains("someValue")) { context.failure(AuthenticationFlowError.INVALID_USER); return; } context.success(); }
We have been using Keycloak as an identity broker and Bitbucket as a social identity provder. Everything was working perfectly until one day we realized that eveyrone can login to the identity broker (keycloak) not only people from the organization where the OAuth consumer is configured. That is a big security breach.
I started following the documentation for adding custom JavaScript authenticator provider (https://www.keycloak.org/docs/latest/server_development/#_script_providers), but this doesn't work as well, because the user is always null. I wanted to get the user's email and check the domain, but unfortunately I cannot do it.
AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError"); function authenticate(context) { LOG.info(script.name + " --> trace auth for: " + user.username); if ( user.username === "tester" && user.getAttribute("someAttribute") && user.getAttribute("someAttribute").contains("someValue")) { context.failure(AuthenticationFlowError.INVALID_USER); return; } context.success(); }
This doesn't work, becuase user is null. Could you please give me advise how to do this?
Thank you!
Thank you!
Reply all
Reply to author
Forward
0 new messages