keycloak-scim/docs/documentation/server_admin/topics/identity-broker/suggested.adoc

31 lines
1.2 KiB
Text
Raw Normal View History

2017-04-21 08:19:53 +00:00
[[_client_suggested_idp]]
2019-01-21 16:38:32 +00:00
=== Client-suggested Identity Provider
2016-05-26 16:09:04 +00:00
OIDC applications can bypass the {project_name} login page by hinting at the identity provider they want to use. You can enable this by setting the `kc_idp_hint` query parameter in the Authorization Code Flow authorization endpoint.
2016-05-26 16:09:04 +00:00
With {project_name} OIDC client adapters, you can specify this query parameter when you access a secured resource in the application.
2016-05-26 16:09:04 +00:00
2019-01-21 16:38:32 +00:00
For example:
2016-05-26 16:09:04 +00:00
[source,bash,subs=+attributes]
2016-05-26 16:09:04 +00:00
----
GET /myapplication.com?kc_idp_hint=facebook HTTP/1.1
Host: localhost:8080
----
In this case, your realm must have an identity provider with a `facebook` alias. If this provider does not exist, the login form is displayed.
2016-05-26 16:09:04 +00:00
If you are using the JavaScript adapter, you can also achieve the same behavior as follows:
2016-05-26 16:09:04 +00:00
2018-02-08 21:09:26 +00:00
[source,javascript]
2016-05-26 16:09:04 +00:00
----
const keycloak = new Keycloak('keycloak.json');
2016-05-26 16:09:04 +00:00
await keycloak.createLoginUrl({
2016-05-26 16:09:04 +00:00
idpHint: 'facebook'
});
----
With the `kc_idp_hint` query parameter, the client can override the default identity provider if you configure one for the `Identity Provider Redirector` authenticator. The client can disable the automatic redirecting by setting the `kc_idp_hint` query parameter to an empty value.