[keycloak-dev] Optional authenticator inside an alternative subflow, how and when is it invoked?

Rashmi Singh singhrasster at gmail.com
Wed Jun 8 15:04:24 EDT 2016 

OK, I am clear about this point now. It does enter the second optional
authenticator, so it is good now. Thank you

On Wed, Jun 8, 2016 at 10:43 AM, Rashmi Singh <singhrasster at gmail.com>
wrote:

> In general, if we have any two authenticators under ALTERNATIVE flow, the
> second being OPTIONAL, is the optional one invoked only when
> context.setUser(user) is set in the first authenticator? otherwise, the
> second OPTIONAL authenticator is never invoked (irrespective of whether Authenticator.configuredFor
> returns true or false) at all? Is there a way to invoke the optional
> authenticator even when context.setUser(user) was never done in the first
> authenticator?
>
> On Wed, Jun 8, 2016 at 5:21 AM, Marek Posolda <mposolda at redhat.com> wrote:
>
>> Currently the OPTIONAL means that authenticator is used just if it's
>> configured for particular user ( Authenticator.configuredFor returns true
>> for that user). In case of OTP, it means that OTP form is shown just if OTP
>> is configured for particular user.
>>
>> It looks that OPTIONAL authenticator needs to return "requiresUser" with
>> true, otherwise if it doesn't require user the error will be returned (even
>> if authenticator is OPTIONAL).
>>
>> Marek
>>
>>
>> On 07/06/16 17:29, Rashmi Singh wrote:
>>
>> From the keycloak documentation and
>> <https://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html>
>> https://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>>
>> it is not very clear to me what the OPTIONAL setting for an execution
>> mean.
>>
>> For example, when we have the following:
>>
>> Forms Subflow - ALTERNATIVE
>>            Username/Password Form - REQUIRED
>>            OTP Password Form - OPTIONAL
>>
>>
>>
>> When can it enter the Optional OTP form? Do we need to add some code
>> (some condition ?) in the UsernamePasswordAuthentication Code, so it enters
>> the optional OTP form authenticator? Or something else? I am not so clear
>> about the concept of this optional field and how to enter it. Can someone
>> please explain this in detail?
>>
>>
>> _______________________________________________
>> keycloak-dev mailing listkeycloak-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160608/87a87f0a/attachment.html

More information about the keycloak-dev mailing list