We are planning to use KeyCloak to grant access to our multi-cluster and multi-account AWS EKS infrastructure using KeyCloak. Only want to use sing-in using Google SSO/Azure AD and disable Username & Password completely i.e. even not allowing POST requests. How can I achieve this?
Hi @vishu-25,
If your clients don’t have the grant type ROPC (Resource Owner Password Credentials), aka Direct Access Grants, enabled in KC, they won’t be able to use this grant type (which involves a POST request to the token endpoint).
Furthermore, you can also adjust the authentication flow and eliminate the authentication with a username and password step.
As a bonus track: You can check the acr claim (Authentication Context Class) in the token to enforce a desired level of assurance (LoA) or Authenticator Assurance Level (AAL), in your case, federation with an external IdP. If this is not the desired ‘acr’ claim, you can deny access or send it back to the IdP. Therefore, you can use the acr_values parameter in the authentication process.
For more information, you can review [1] and [2].
[1] Keycloak Step-Up and Multi-factor Authentication (MFA) for Web Apps and API | by Martin Besozzi | Medium
[2] Keycloak Workshop for Step Up with MFA Biometrics Authentication (Passkeys) and Passwordless experience with Passkey autofill | by Martin Besozzi | Medium
2 Likes