I would like to get a quite custom authorization flow in Keycloak.
Keycloak will act as a central authentication and authorization point for several applications.
In each application, of course, the given user will have different rights, but in addition to the standard rights, he will have one more parameter. The name of the company for which to view data. This means that at the time of logging in, apart from entering login / password + OTP + it would be necessary to give the user a dynamic list of companies (depending on the user is to have access to other companies), which will be checked with his rights. So we have such an authorization matrix with 3 levels: User, application, company within a given application.
Can you get something like this without modifying the Keycloak code?
I don’t know all the requirements but you would need to do the following for your use case
- extend an existing theme or create a new one that can show you what you want
- create custom providers for Keycloak that handle these things
You wouldn’t need to touch the actual Keycloak code itself, just be creative with the provders, user settings, attributes, roles and rights and if Keycloak can’t handle your specific needs maybe connecting to an external api that implements some of that logic.