The System consists of a Keycloak 16.0.0 instance and uses Google as an Identity Provider. I want to fail the authentication based on an attribute that is given inside of the google account information.
The JSON from the google API (GET https://admin.googleapis.com/admin/directory/v1/users/{userKey}) looks like this:
{
"kind": "admin#directory#user",
"id": "00000000",
"etag": "xxxx",
"primaryEmail": "test@test.mail.com",
"name": {
"givenName": "User",
"familyName": "Test",
"fullName": "User Test"
},
..........
..........
..........
..........
"organizations": [
{
"name": "Organization5"
}
]
}
After a user logs in through the SSO Google Login, a user in keycloak should only be created when he is in "Organization5".
I tried using a custom script in the default "First Broker Login" flow before the "Create User If Unique(create unique user config)" execution. But I cannot get the keycloak access token from the identity because the identity is not initalized yet.
Is there any easy out-of-the-box solution that I am missing?
