JuanPTM
commented
3 months ago ISSUE: When a social login is configured ANY user that has an account on that site, can log in into Keycloak and then into Horizon/openstack.
After researching what other users there is no "native" way to solve the issue, but there are several approaches.
App control: Users has to be provisioned and the app has to allow/decline the login.
Authenticator: Create a java authenticator for Keycloak that let you filter for users from the federation. https://github.com/p2-inc/keycloak-orgs/issues/228
Whitelist: Another approach like the previous one but that let only login users from a whitelist. Pretty basic solution that should be off of scope in our case. https://github.com/softwarefactory-project/keycloak-filter-provider-users
Keycloak-plugin: Same author as our current home-idp-discovery. There is a plugin that only allow certains users the access to a specific Keycloak client. This is used to filters users. Can be done with roles or policies on keycloak.
Keycloak organizations: Keycloak 25, I haven't research too much into it yet. https://github.com/keycloak/keycloak/issues/28273
Research how other Keycloak users handle social login attemps from users that are not members of the github organization e.g