This extension lets an administrator automatically disable users that log in via an external identity provider, unless they belong to a list. The allowed users can be filtered by username or emails. This way, for example, only some predefined users from Facebook can access your application instead of anyone with a Facebook account.
This is intended to be very simple and straightforward. For anything more elaborate you may want to consider this extension instead.
This was adapted from this article: it fixes bugs and implements the allow list as user input rather than a file.
mvn clean install
Copy the built jar into {KEYCLOAK_HOME}/standalone/deployments (for Wildfly) or /opt/keycloak/providers (for Quarkus).
You can also build a custom container image that includes the extension by using the Dockerfile in the repo:
podman build -t custom_kc -f Dockerfile
- Click on "Authentication" for your realm.
- Duplicate the "First broker login" flow and edit the copy.
- Add a step: pick "Enable User if Username in allow list"
- Move that step below "Create User if Unique"
- Change step requirement to "Required"
- Click on the cog to configure your allow list with comma-separated values
- Pick your external identity provider
- In "Advanced Settings" choose your duplicated flow as the first login flow.
See the GIF below for a visual demo.
