[keycloak-dev] Optional authenticator inside an alternative subflow, how and when is it invoked?

Marek Posolda mposolda at redhat.com
Thu Jun 9 02:54:29 EDT 2016 

For more complicated conditional workflows like this, you can always use 
clientSession notes and save/read the state from here. For example 
authenticator1 will call something like this if "particular case" happened:

clientSession.setNote("someNote", "particularCaseHappened");

And authenticator2 can then use something like this in the beginning of 
method "authenticate" :

if ("particularCaseHappened".equals(clientSession.getNote("someNote") {
     log.info("Ignoring this authenticator based on fact that 
'particular case' from authenticator1 happened");
     context.attempted();
     return;
}

Marek

On 09/06/16 03:48, Rashmi Singh wrote:
> I have one more question on this. I have my own implementation of two 
> authenticators now: Username Authenticator (REQUIRED) and OTP 
> authenticator (OPTIONAL) under an ALTERNATIVE subflow. The second 
> optional authenticator has Authenticator.configuredFor returns false 
> (I have this because I do not want this to be invoked only when the 
> user is set in the context already). Now, the second authenticator is 
> invoked which is good. But, there is one case in my usernamePassword 
> Authenticator for which the optional OTPAuthenticator should not be 
> invoked. Can this be achieved? Other than that case, OTP authenticator 
> should be invoked as now. Can I stop this second optional 
> OTPAuthenticator from being invoked for a particular case in my 
> UsernamePassword authenticator?
>
> On Wed, Jun 8, 2016 at 2:04 PM, Rashmi Singh <singhrasster at gmail.com 
> <mailto:singhrasster at gmail.com>> wrote:
>
>     OK, I am clear about this point now. It does enter the second
>     optional authenticator, so it is good now. Thank you
>
>     On Wed, Jun 8, 2016 at 10:43 AM, Rashmi Singh
>     <singhrasster at gmail.com <mailto:singhrasster at gmail.com>> wrote:
>
>         In general, if we have any two authenticators under
>         ALTERNATIVE flow, the second being OPTIONAL, is the optional
>         one invoked only when context.setUser(user) is set in the
>         first authenticator? otherwise, the second OPTIONAL
>         authenticator is never invoked (irrespective of whether
>         Authenticator.configuredFor returns true or false) at all? Is
>         there a way to invoke the optional authenticator even when
>         context.setUser(user) was never done in the first authenticator?
>
>         On Wed, Jun 8, 2016 at 5:21 AM, Marek Posolda
>         <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
>
>             Currently the OPTIONAL means that authenticator is used
>             just if it's configured for particular user (
>             Authenticator.configuredFor returns true for that user).
>             In case of OTP, it means that OTP form is shown just if
>             OTP is configured for particular user.
>
>             It looks that OPTIONAL authenticator needs to return
>             "requiresUser" with true, otherwise if it doesn't require
>             user the error will be returned (even if authenticator is
>             OPTIONAL).
>
>             Marek
>
>
>             On 07/06/16 17:29, Rashmi Singh wrote:
>>             From the keycloak documentation and
>>             https://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>>
>>
>>             it is not very clear to me what the OPTIONAL setting for
>>             an execution mean.
>>
>>             For example, when we have the following:
>>
>>             Forms Subflow - ALTERNATIVE
>>                         Username/Password Form - REQUIRED
>>                         OTP Password Form - OPTIONAL
>>
>>
>>             When can it enter the Optional OTP form? Do we need to
>>             add some code (some condition ?) in the
>>             UsernamePasswordAuthentication Code, so it enters the
>>             optional OTP form authenticator? Or something else? I am
>>             not so clear about the concept of this optional field and
>>             how to enter it. Can someone please explain this in detail?
>>
>>
>>             _______________________________________________
>>             keycloak-dev mailing list
>>             keycloak-dev at lists.jboss.org
>>             <mailto:keycloak-dev at lists.jboss.org>
>>             https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160609/8441a96f/attachment.html

More information about the keycloak-dev mailing list