feat: admins only feature flag

README.md

@@ -27,6 +27,7 @@ No Masters edition of Keycloak.
   - They are valid for 30 days by default (configurable via `INVITE_TIME_LIMIT`)
   - Anyone with an invite link can create an account on the Keycloak, so don't share publicly!
   - There is no access granularity on the account creation implemented yet, so the accounts are "global"
+    - **New**: it is possible to only allow "admins" to log in, see [feature flags](#feature-flags)
   - Once the user fills in their name, email, password they will receive an email verification mail
 
 If you want a feature implemented, please open an issue to discuss.
@@ -60,6 +61,32 @@ your technology stack.
 - Log in with your usual login details
 - Follow the instructions on the web page to perform administrative actions
 
+## Feature Flags
+
+### Only admins can log in
+
+#### Keycloak
+
+- Create a new group under `Groups` called `Administrators` (case sensistive!)
+- Create a new scope under `Client scopes`
+  - Name: `groups`
+  - Type: `Optional`
+  - Include in token scope: `yes`
+- Under the `Mappers` tab of this client scope, choose `Add mapper`
+  - Mapper type/Name: `Groups Membership`
+  - Token claim name: `groups`
+  - Add to ID token: `yes`
+  - Add to access token: `yes`
+  - Add to userinfo: `yes`
+- Add this client scope to your `admin-cli` client as `Optional`
+- Add a test user to this group under `Users`
+
+#### Keycloak Community Portal
+
+- Set `FEATURE_FLAG_ADMINS_ONLY=True` in your `.env`
+- You may want to customise `KEYCLOAK_GROUPS_KEY` / `KEYCLOAK_ADMINS_GROUP` if
+  you changed the value of `groups` / `Administrators` above
+
 ## Hacking
 
 It's a [FastAPI](https://fastapi.tiangolo.com/) application (if you know