From 0c2a04c4acc5f03a87def8c44da11e7c32edde1c Mon Sep 17 00:00:00 2001 From: tmub Date: Thu, 19 Oct 2023 15:07:56 +0300 Subject: [PATCH] Dont add user to master realm if they don't have keycloak_admin role from MSSP --- .../keycloak/laverca/MobileidAuthenticator.java | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/main/java/fi/methics/keycloak/laverca/MobileidAuthenticator.java b/src/main/java/fi/methics/keycloak/laverca/MobileidAuthenticator.java index dba7e0a..9a83f89 100644 --- a/src/main/java/fi/methics/keycloak/laverca/MobileidAuthenticator.java +++ b/src/main/java/fi/methics/keycloak/laverca/MobileidAuthenticator.java @@ -148,6 +148,12 @@ public void action(AuthenticationFlowContext context) { UserModel existingUser = session.users().getUserByUsername(realm, msisdn); UserModel user = (existingUser == null) ? this.createUser(context, msisdn, resp) : existingUser; + // User returned null because MSSP user did not have "keycloak_admin" role + if (user == null) { + context.failure(AuthenticationFlowError.ACCESS_DENIED); + return; + } + // Set attributes and roles for current user this.setAttributes(user, attrs, resp); context.setUser(user); @@ -229,8 +235,9 @@ private UserModel createUser(AuthenticationFlowContext context, String msisdn, M if (realm.getName().equals("master")) { if (!roles.contains("keycloak_admin")) { logger.warn("Can't give Keycloak ADMIN access to " + newUser.getUsername() + - " because mobile user did not have 'keycloak_admin' role"); - return newUser; + " because mobile user did not have 'keycloak_admin' role."); + // Return null so no extra users are created + return null; } RoleModel adminRole = realm.getRole("admin");