keycloak-scim/server_admin/topics/identity-broker/suggested.adoc

35 lines
1.2 KiB
Text
Raw Normal View History

2017-04-21 08:19:53 +00:00
[[_client_suggested_idp]]
2019-01-21 16:38:32 +00:00
=== Client-suggested Identity Provider
2016-05-26 16:09:04 +00:00
2017-08-28 12:50:14 +00:00
OIDC applications can bypass the {project_name} login page by specifying a hint on which
2016-05-27 15:23:34 +00:00
identity provider they want to use.
This is done by setting the `kc_idp_hint` query parameter in the Authorization Code Flow authorization endpoint.
2016-05-26 16:09:04 +00:00
2017-08-28 12:50:14 +00:00
{project_name} OIDC client adapters also allow you to specify this query parameter when you access a secured resource
2016-05-27 15:23:34 +00:00
at the application.
2016-05-26 16:09:04 +00:00
2019-01-21 16:38:32 +00:00
For example:
2016-05-26 16:09:04 +00:00
2018-02-08 21:09:26 +00:00
[source]
2016-05-26 16:09:04 +00:00
----
GET /myapplication.com?kc_idp_hint=facebook HTTP/1.1
Host: localhost:8080
----
2019-01-21 16:38:32 +00:00
In this case, it is expected that your realm has an identity provider with an alias `facebook`. If this provider doesn't exist the login form will be displayed.
2016-05-26 16:09:04 +00:00
If you are using `keycloak.js` adapter, you can also achieve the same behavior:
2018-02-08 21:09:26 +00:00
[source,javascript]
2016-05-26 16:09:04 +00:00
----
var keycloak = new Keycloak('keycloak.json');
keycloak.createLoginUrl({
idpHint: 'facebook'
});
----
The `kc_idp_hint` query parameter also allows the client to override the default identity provider if one is configured for the `Identity Provider Redirector` authenticator. The client can also disable the automatic redirecting by setting the `kc_idp_hint` query parameter to an empty value.