Skip to content

Commit

Permalink
Dont add user to master realm if they don't have keycloak_admin role …
Browse files Browse the repository at this point in the history 
…from MSSP
  • Loading branch information
@tmub
tmub committed Oct 19, 2023
1 parent 733a8df commit 0c2a04c
Showing 1 changed file with 9 additions and 2 deletions.
11 changes: 9 additions & 2 deletions src/main/java/fi/methics/keycloak/laverca/MobileidAuthenticator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,12 @@ public void action(AuthenticationFlowContext context) {
UserModel existingUser = session.users().getUserByUsername(realm, msisdn);
UserModel user = (existingUser == null) ? this.createUser(context, msisdn, resp) : existingUser;

// User returned null because MSSP user did not have "keycloak_admin" role
if (user == null) {
context.failure(AuthenticationFlowError.ACCESS_DENIED);
return;
}

// Set attributes and roles for current user
this.setAttributes(user, attrs, resp);
context.setUser(user);
Expand Down Expand Up @@ -229,8 +235,9 @@ private UserModel createUser(AuthenticationFlowContext context, String msisdn, M
if (realm.getName().equals("master")) {
if (!roles.contains("keycloak_admin")) {
logger.warn("Can't give Keycloak ADMIN access to " + newUser.getUsername() +
" because mobile user did not have 'keycloak_admin' role");
return newUser;
" because mobile user did not have 'keycloak_admin' role.");
// Return null so no extra users are created
return null;
}

RoleModel adminRole = realm.getRole("admin");
Expand Down

0 comments on commit 0c2a04c

Please sign in to comment.