How can I restrict registrating automatically by IdP

Hi, I’m using Google Identity Provider and I want to restrict new users until some admins allow them.

There are some ways I guess.

1. to restrict registering itself
   => I can restrict signing up via keycloak web BUT I’m not able to register via Google IdP

2. to use whitelist with specific email domain name when users register
   => I heard there is no function to handle this.

3. to block new users by default
   => I heard there is no function to handle this. Admins should block each user manually

The 3 things are all I could imagine but nothing was possible. Though I guess the first one would be the most feasible, After login via IdP, automatically a keycloak user is created.

Is there any tips or advice to restrict new users or restrict signing up?

You can allow new users to create an account, however, you can restrict the actions (i.e., scope permissions) they are initially (e.g., new users are granted the ‘Guest’ role) allowed to perform.

See: Angular, OAuth 2.0 and Keycloak

Thank you for your answer. I wasn’t able to find some articles that explains Roles in Keycloak very well. But thanks to your post, I could make it.
I restricted email and profile Scope and bind them to a Role.