Hi.
Keycloak version: 16.1.0
We are working on SSO with social login provider (such as Google) on keycloak. We tried using token exchange, which is basically to exchange an internal token with external token. Suppose we have an ID provider and set up a private client, seems if the user has a valid google id token, even if it’s from a public oauth client, keycloak (Google actually) will treat it as a valid token and continue the exchange. After the token exchange, the user will be registerd in our user db.
We would like to add some logic before the exchange happens, for example checking the user’s hosted domain. Therefore not all gmail users have access to our system. We didn’t find a good way intercept this process. We tried to use the authentication flow to filter the valid users but there’s not sufficient executions to achieve this. We prefer the exchange token method to using keycloak default login page so that we can have better maintenance in the back end.
I noticed the exchange token is still in a prev mode. I wonder is it possible to achieve our goal with current keycloak? If not, do you have any plan on adding exections before / after the token exchange?
Thanks a lot.