10

I have an Keycloak Broker and 2 Identity Providers running. Currently I saw the Username and Password fields and the 2 links to the configured Identity Providers at the broker login screen. The login through Identity Providers is possible after klicking a IP link.

How can I disable/remove the Username/Password fields because I want to provide only the Identity Providers to login to my Client (without the possibility to login directly through the Broker)?

hb70muc
  • 101
  • 1
  • 1
  • 5

2 Answers2

13

There are few out-of-box features that might work.

If you need only one default IdP, you can configure a Default Identity Provider for your realm. This will bypass the Keycloak login page and redirect the user straight to the Identity Provider. More info: https://www.keycloak.org/docs/latest/server_admin/index.html#default_identity_provider

For multiple identity providers, this wouldn't work - but you could use the client-suggested identity provider feature (https://www.keycloak.org/docs/latest/server_admin/index.html#_client_suggested_idp). By adding a kc_idp_hint query string parameter on the link to the Keycloak login page, it will bypass the login and go directly to that IdP. In your web application, you can construct a set of links or buttons for each provider and add the kc_idp_hint into it. However, this won't stop someone clever from still getting to the normal Keycloak login page.

Creating your own login theme may be the most straightforward approach, but I wanted to toss out these options in case anyone else finds it useful.

RealDealNeil
  • 151
  • 5
  • Thanks for the informations. The Client-suggested Identity Provider could be helpful for us. I have already tried it. – hb70muc Sep 16 '20 at 08:58
  • The problem with the theme/css solution is that even if you remove the form fields, users can still create a username/password for themselves from their /account endpoint on Keycloak after they have logged in via the IdP. It would then be trivial to login via username/password later even if the IdP account is disabled. I see this as a serious security problem. – GGGforce Jan 08 '23 at 10:50
  • 1
    You can find a solution to ensure IDP users can't log in with a local username / password here. I had posted this as an answer but an exuberant mod deleted it. https://groups.google.com/g/keycloak-user/c/N9cuqXIBrSA/m/sycLxTZbCAAJ – GGGforce Jan 10 '23 at 18:24
  • 1
    @GGGforce thanks for your information, that looks promising, which I've tried out and seems to work. – Raymond Tau Jan 20 '23 at 08:49
2

I am not really sure why Keycloak does not just provide a configuration option for this in the Realm .. but it doesn't. That said .. if you have not enabled self registration then users could not login regardless?

I think you would need to create your own login theme and just remove the username and password section from your theme. It is probably not as hard as it may sound.

Mark Phippard
  • 10,329
  • 2
  • 32
  • 42
  • Thanks, yes, this should work and will be easy to realize. Don't you think that it is necessary to add a new spi extention and configure a new authentication flow too? Maby because of some security reasons? – hb70muc Aug 14 '20 at 12:11
  • I do not know ... if you modified the theme I cannot think of how someone could login and like I said even if you do not do that how are you thinking users login? Keycloak does not validate the username and password against the external IdP it validates against its own database. If you do not let users self-register how would they have a local account? – Mark Phippard Aug 14 '20 at 16:07
  • 1
    Users can create a local account for themselves on the /account endpoint once they login via the IdP. Thereafter, they can use the username/password even if their IdP account is disabled. This seems to me to be a major security problem. – GGGforce Jan 08 '23 at 10:52