the “login options” section of the KeyCloak docs states that one can specify the parameter idpHint in order to specify the preferred identity provider.
But I could not find any examples of how to do this in a Java based application (preferrably in Spring-Boot).
I’d like to configure my web application (which uses spring security) in a way that, when it sends authentication request to keycloak, it includes the parameter kd_idp_hint (with a certain value I’d configure) into the request URL.
Could someone provide a link or an examle?
When I look at the class KeycloakDeployment I don’t even see a property for idpHint (I’d expect to find it there after studying the code for some time).
UPDATE: If I understand the class OAuthRequestAuthenticator correctly, it only extracts the value of idpHint from the request itself. It is not possible to configure a value via KeyCloak config. I’ve opened a feature request: https://issues.redhat.com/browse/KEYCLOAK-14776.
(I had to remove some links because I am a new forum user and may only place two links in a post.)
You can set a default identity provider by setting the idp brokering redirector alias under authentication section which would route your application to external idp by default.
Else by documentation, you can set the parameter kc_idp_hint from your front end in your form data to route to a specific external idp.
Further, you can do a quick test adding kc_idp_hint in the query parameters to check the routing.
The thing is, I don’t have any login form and I don’t create the URL for calling the Keacloak explicitly in my code. I just use Spring Security adapter. There, I configure that all pages of my app should only be accessible by an authenticated user. The rest is accomplished by Spring Security and the Keycloak adapter for it.
I’d like to configure the adapter so that, when it sends the request to Keycloak, it appends the kc_idp_hint parameter to the URL. But such configuration seems impossible to me (with the current code). It is possible for JavaScript (there is an example), but not for Java.
My working path for now is to not to use the keycloak lib and use just the spring security lib instead. There it’s possible to configure all twists and whistles.