Kc_idp_hint and OAuth 2.0 Device Authorization Grant

Hello,

I have configured a Test keycloak with 2 realm: MyRealm and PrivCompanyRealm.
PrivCompanyRealm is configured registered as an IdentityProvider (alias theprivcompany) for MyRealm and contain one user.

If i go to login page, I get the user/pass form and see a button “theprivcompany”. If i click on it, I can login with PrivCompanyRealm and subsequently in MyRealm

If i go to the login page but add the parameter “&kc_idp_hint=theprivcompany” to URL, the I am automatically redirected to the PrivCompanyRealm login page and never see the MyRealm auth page. As expected, still good, it’s my purpose.

BUT if I try to login using the Device Authorization Grant, no matter at which step i add the kc_idp_hint, it’s ignored and I get the MyRealm auth screen with a button, which is not what I want.

I already tried:

curl --location --request POST 'http://localhost:8080/realms/MyRealm/protocol/openid-connect/auth/device' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=device-client' \
--data-urlencode 'client_secret=xxxxxxxxxxxxxxxxxx' \
--data-urlencode 'kc_idp_hint=theprivcompany' | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   369  100   272  100    97  45333  16166 --:--:-- --:--:-- --:--:-- 61500
{
  "device_code": "ho6njsvtgLf-1fG5sDlsZ1pTJyJCLVftm54Y28joi3c",
  "user_code": "LCIS-SWZY",
  "verification_uri": "http://localhost:8080/realms/MyRealm/device",
  "verification_uri_complete": "http://localhost:8080/realms/MyRealm/device?user_code=LCIS-SWZY",
  "expires_in": 600,
  "interval": 5
}

I tried adding the hint to verification uri

http://localhost:8080/realms/MyRealm/device?user_code=LCIS-SWZY&kc_idp_hint=theprivcompany

I also tried manually add the hint to the address bar

The purpose of our desktop application is to redirect user to login using a specific identity provider already selected by application, so having the user click on one of the thousand idp providers is not really an option.

Am I missing something?

I found this doc, but it’s not clear to me where is it supported Server Administration Guide

I belive you stumbled into something here.

I’m not sure but it seems that the device endpoints ignore kc_idp_hint and I’m also not sure if it’s not correctly doing so.

What you can try, but I don’t know if this fits your requirements, is set the idp globally at the authentication browser flow in the Identity Provider Redirector.

You can override the browser flow per client, so if a global IDP doesn’t fit, but a per-client does, you can have an authentication browser flow per client.

hope this helps.

Hi,

thanks for your reply. While it could indeed be an option to have one device client per idp, we would need to check the load on keycloack with possibly hundreds of different client & associated variation of browser flows.

Another option if we need to work around the issue would probably be to patch the keycloak to implement this. Or in last resort to the old browser flow way from device.

I suppose you could open an improvement issue for that (something in the lines of “OAuth 2.0 Device Authorization Grant endpoint should forward query params to subsequent authentication flows”) to see if it sticks.