Dear Team,
I wonder whether it is possible or would it be possible in the future to assign to a username both
-external and
-internal
flag (external may be broken down into more possibilities).
So the specific user could login with the basic approach in case of a keycloak-system failure.
And would it be possible to count the user as 1 license at the same time?
Thank you.
by: Peter S. | 9 days ago | Administration
Comments
We would not recommend this approach and don't have plans to support dual internal/external flags on a single user in the near future.
The core issues are: group/role mapping breaks when falling back to local login (OIDC claims aren't available), auditing becomes unreliable, and it effectively creates a backdoor around the centralized auth policies Keycloak is meant to enforce.
What we recommend instead:
- Making Keycloak more resilient (HA/clustered) - this addresses the root cause.
- Keeping a few internal admin accounts for emergency access.