How to only allow some SSO (Github) users to login?

Sandra Schlichting

unread,

May 8, 2023, 5:01:54 AM5/8/23

to Keycloak User

Dear all =)

I have configured a PoC of Github SSO, and right now all Github users are allowed login.

How can I limit/restrict/allow which Github users that should be allowed access?

Hugs,

Sandra =)

Thomas Darimont

unread,

May 8, 2023, 5:06:09 AM5/8/23

to Keycloak User

Hello Sandra,

One way that would work is to implement a custom org.keycloak.broker.provider.IdentityProviderMapper and check the incoming user data via IdentityProviderMapper#preprocessFederatedIdentity.

If you want to reject the user, you could simply throw an error and show an error page to the user.
See: https://github.com/thomasdarimont/keycloak-project-example/blob/main/keycloak/extensions/src/main/java/com/github/thomasdarimont/keycloak/custom/idp/brokering/RestrictBrokeredUserMapper.java#L89

With this in place unwanted users will not be imported into the Keycloak user store.

Cheers,

Thomas

Sandra Schlichting

unread,

May 8, 2023, 7:37:25 AM5/8/23

to Keycloak User

Dear Thomas,

Excellent! Thanks a lot =)

Hugs,

Sandra =)

Matthieu Huin

unread,

May 9, 2023, 4:56:26 AM5/9/23

to Sandra Schlichting, Keycloak User

Hello,

This might do what you want: https://github.com/softwarefactory-project/keycloak-filter-provider-users

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/63916fe1-9d12-4481-b425-f8b74fad2c56n%40googlegroups.com.

--

Matthieu Huin

(He/Him/His)

Senior Software Developer

Schuster Sebastian (BD/PAU1)

unread,

May 9, 2023, 10:43:13 AM5/9/23

to Matthieu Huin, Sandra Schlichting, Keycloak User

Hi Matthieu,

this looks nice, could you also add a license so people can actually use it?

@Sandra Schlichting Another option would be to have a first broker login flow that does not automatically create users but just links them with existing users and then you create all users you want to allow upfront.

Best regards,

Sebastian

Mit freundlichen Grüßen / Best regards

Dr.-Ing. Sebastian Schuster

Product Area User Management (BD/PAU1)
Bosch.IO GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch.io
Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Telefax +49 30 726112-100 | Sebastian...@bosch.io

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Stefan Koss; Geschäftsführung: Dr. Andreas Nauerz, Stephan Lampel

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/CADNCi7fr5uDMp4vzcET3%2B38%3D9U5%3DppJawPpX1Z_ZaOh5wXc4rQ%40mail.gmail.com.

Sandra Schlichting

unread,

May 12, 2023, 7:35:49 AM5/12/23

to Keycloak User

Dear Sebastian,

This broker you mention. Is that a something I would have to develop myself, or does there exist something I can already use?

Hugs,

Sandra =)

Schuster Sebastian (BD/PAU1)

unread,

May 12, 2023, 11:20:10 AM5/12/23

to Sandra Schlichting, Keycloak User

Hi Sandra,

this flow is already there, you can just adapt its configuration, see: https://www.keycloak.org/docs/latest/server_admin/#_identity_broker_first_login

Best regards,

Sebastian

Mit freundlichen Grüßen / Best regards

Dr.-Ing. Sebastian Schuster

Product Area User Management (BD/PAU1)
Bosch.IO GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch.io
Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Telefax +49 30 726112-100 | Sebastian...@bosch.io

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Stefan Koss; Geschäftsführung: Dr. Andreas Nauerz, Stephan Lampel

Error! Filename not specified.
Error! Filename not specified.

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/CADNCi7fr5uDMp4vzcET3%2B38%3D9U5%3DppJawPpX1Z_ZaOh5wXc4rQ%40mail.gmail.com.

--

You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/CAELiMBM0HMi3K91DFP_PzU0YvEx-50j-D6bAEi17VQfoS%3D4y6A%40mail.gmail.com.

Matthieu Huin

unread,

May 15, 2023, 7:01:10 AM5/15/23

to Schuster Sebastian (BD/PAU1), Sandra Schlichting, Keycloak User

A little oversight on my part, thanks for pointing that out! This should be fixed now.

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/AS4PR10MB54413467EAD6EA525B01B88087769%40AS4PR10MB5441.EURPRD10.PROD.OUTLOOK.COM.

--

Matthieu Huin

(He/Him/His)

Senior Software Developer

Reply all

Reply to author

Forward