keycloak-scim/server_admin/topics/identity-broker/suggested.adoc


[[_client_suggested_idp]]
=== Client-suggested Identity Provider

OIDC applications can bypass the {project_name} login page by hinting at the identity provider they want to use. You can enable this by setting the `kc_idp_hint` query parameter in the Authorization Code Flow authorization endpoint.

With {project_name} OIDC client adapters, you can specify this query parameter when you access a secured resource in the application.

For example:

[source,bash,subs=+attributes]
----
GET /myapplication.com?kc_idp_hint=facebook HTTP/1.1
Host: localhost:8080
----

In this case, your realm must have an identity provider with a `facebook` alias. If this provider does not exist,  the login form is displayed.

If you are using the `keycloak.js` adapter, you can also achieve the same behavior as follows:

[source,javascript]
----
var keycloak = new Keycloak('keycloak.json');

keycloak.createLoginUrl({
	idpHint: 'facebook'
});
----

With the `kc_idp_hint` query parameter, the client can override the default identity provider if you configure one for the `Identity Provider Redirector` authenticator. The client can  disable the automatic redirecting by setting the `kc_idp_hint` query parameter to an empty value.
KEYCLOAK-15756 Initial wording (#58) * KEYCLOAK-15756 Initial wording * KEYCLOAK-15756 Post feedback changes 2021-03-22 13:20:23 +00:00
Add link to client suggested idp 2017-04-21 08:19:53 +00:00			`[[_client_suggested_idp]]`
requested changes 2019-01-21 16:38:32 +00:00			`=== Client-suggested Identity Provider`
google 2016-05-26 16:09:04 +00:00
KEYCLOAK-15756 Initial wording (#58) * KEYCLOAK-15756 Initial wording * KEYCLOAK-15756 Post feedback changes 2021-03-22 13:20:23 +00:00			OIDC applications can bypass the {project_name} login page by hinting at the identity provider they want to use. You can enable this by setting the `kc_idp_hint` query parameter in the Authorization Code Flow authorization endpoint.
google 2016-05-26 16:09:04 +00:00
KEYCLOAK-15756 Initial wording (#58) * KEYCLOAK-15756 Initial wording * KEYCLOAK-15756 Post feedback changes 2021-03-22 13:20:23 +00:00			`With {project_name} OIDC client adapters, you can specify this query parameter when you access a secured resource in the application.`
google 2016-05-26 16:09:04 +00:00
requested changes 2019-01-21 16:38:32 +00:00			`For example:`
google 2016-05-26 16:09:04 +00:00
KEYCLOAK-15756 Initial wording (#58) * KEYCLOAK-15756 Initial wording * KEYCLOAK-15756 Post feedback changes 2021-03-22 13:20:23 +00:00			`[source,bash,subs=+attributes]`
google 2016-05-26 16:09:04 +00:00			`----`
			`GET /myapplication.com?kc_idp_hint=facebook HTTP/1.1`
			`Host: localhost:8080`
			`----`

KEYCLOAK-15756 Initial wording (#58) * KEYCLOAK-15756 Initial wording * KEYCLOAK-15756 Post feedback changes 2021-03-22 13:20:23 +00:00			In this case, your realm must have an identity provider with a `facebook` alias. If this provider does not exist, the login form is displayed.
google 2016-05-26 16:09:04 +00:00
KEYCLOAK-15756 Initial wording (#58) * KEYCLOAK-15756 Initial wording * KEYCLOAK-15756 Post feedback changes 2021-03-22 13:20:23 +00:00			If you are using the `keycloak.js` adapter, you can also achieve the same behavior as follows:
google 2016-05-26 16:09:04 +00:00
Fix incorrect source format 2018-02-08 21:09:26 +00:00			`[source,javascript]`
google 2016-05-26 16:09:04 +00:00			`----`
			`var keycloak = new Keycloak('keycloak.json');`

			`keycloak.createLoginUrl({`
			`idpHint: 'facebook'`
			`});`
			`----`

KEYCLOAK-15756 Initial wording (#58) * KEYCLOAK-15756 Initial wording * KEYCLOAK-15756 Post feedback changes 2021-03-22 13:20:23 +00:00			With the `kc_idp_hint` query parameter, the client can override the default identity provider if you configure one for the `Identity Provider Redirector` authenticator. The client can disable the automatic redirecting by setting the `kc_idp_hint` query parameter to an empty value.