[keycloak-dev] Authentication Provider chaining

Rashmi Singh singhrasster at gmail.com
Sat May 21 13:14:56 EDT 2016 

I created two subflows under a flow "test", and added an execution for the
authenticator under each subflow:

Subflow1                (ALTERNATIVE)
    Authenticator1   (REQUIRED)
Subflow2               (ALTERNATIVE)
   Authenticator2    (REQUIRED)

In Authenticator1, I set

context.attempted();
return;

in authenticate() method

Login seem to be cancelled/failed in authenticator1. However, it does not
seem to enter the authenticator2:

The logs I see on the console looks like:

11:56:33,261 INFO  [org.keycloak.services] (default task-28) Authenticator
- authenticator1
11:56:33,263 WARN  [org.keycloak.events] (default task-28)
type=LOGIN_ERROR, realmId=testrealm, clientId=account, userId=null,
ipAddress=127
.0.0.1, error=invalid_user_credentials, auth_method=openid-connect,
auth_type=code, response_type=code, redirect_uri=http://localhost:8080/a
uth/realms/testrealm/account/login-redirect,
code_id=bdbd40d3-33b0-42e7-a46b-f61e5fd7e303, response_mode=query

Could you please point what I am doing wrong here that it does not enter
the authenticator2 under subflow2?



On Thu, May 19, 2016 at 4:12 PM, Rashmi Singh <singhrasster at gmail.com>
wrote:

> I will try this out. Thanks for this. I have another question on this. To
> me, it looks like it will work in switching to authentication providers
> down in the chain (by letting us skip the ones in between), but what if we
> want to switch to an authentication provider up? For example, from
> authenticator1, we switch to authenticator4, and then we want to switch to
> authenticator2 (back up in the chain), can this be achieved?
>
> On Thu, May 19, 2016 at 3:06 PM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> For example you can create 2 subflows of the top flow and mark them as
>> ALTERNATIVE. Then if you create "children" execution of subflow1 pointing
>> to your authenticator inside it, then in the code of your authenticator you
>> can switch the state to ATTEMPTED and if the authenticator execution is
>> required, it will cancel subflow1 and go to subflow2. At least I hope it
>> will work like this :-)
>>
>> If you want some more complex logic and dependency of authenticator on
>> the state of other authenticator etc. you can maintain the state inside
>> clientSession notes. Then authenticators will be executed in the fixed
>> order, but for example in the code of authenticator2 you can do something
>> like :
>>
>> if
>> ("true".equals(clientSession.getNote("wasAuthenticator1FinishedSuccessfully"))
>> {
>>    // skip this authenticator2 as authenticator1 already authenticated
>> user or did something, which allows you to skip authenticator2 and move
>> directly to authenticator3 etc.
>>   context.attempted();
>>   return;
>> }
>>
>> etc.
>> Marek
>>
>>
>> On 19/05/16 16:31, Rashmi Singh wrote:
>>
>> Could someone please tell me if this is even possible? I do not want the
>> execution engines/authentication providers to be executed in a fixed order
>> defined in the admin console. But, need to be able to switch to any in the
>> chain depending on some response I get upon invoking an external service. I
>> needed to know if this is possible and if yes, then how? Any help would be
>> appreciated.
>>
>> On Wed, May 18, 2016 at 4:21 PM, Rashmi Singh <singhrasster at gmail.com>
>> wrote:
>>
>>> Thanks a lot for your response. I went through the chapter. What I
>>> understand is we can create multiple executions (authentication providers)
>>> but they are executed in a serial fashion in a fixed order defined. Is
>>> there a way to be able to switch between them (so, not have it executed in
>>> the default serial way but depending on the response we get from an
>>> external service we called, we can switch to the corresponding one). Any
>>> ideas?
>>>
>>> On Tue, May 17, 2016 at 3:49 AM, Marek Posolda < <mposolda at redhat.com>
>>> mposolda at redhat.com> wrote:
>>>
>>>> The docs is here :
>>>> http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>>>>
>>>> We have also example for authentication SPI. Note that you can create
>>>> sub-flows in the "top" flow, which might be a way to split the
>>>> authenticator into multiple ones. For example see "Forms" flow in default
>>>> "Browser" flow. Also maybe you will need to implement some logic
>>>> programatically in your authenticators based on various conditions etc.
>>>> Depends on  the usecase though...
>>>>
>>>> Marek
>>>>
>>>>
>>>> On 16/05/16 23:52, Rashmi Singh wrote:
>>>>
>>>> Hi,
>>>>
>>>> I am looking for a way to do authentication provider chaining with
>>>> keycloak. Basically, I want to have multiple authentication providers,
>>>> example username, Suregrid etc. On submitting username, we call a service
>>>> and if that service tells us to use SureGrid, then we should be able to
>>>> pass control to the corresponding authentication provider. So basically, I
>>>> want to spilt one authentication provider into multiple and be able to
>>>> chain them based on the response from the service called. I have not found
>>>> any documentation that explains this. Could you suggest how to achieve this?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing listkeycloak-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>>
>>>>
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160521/219ca0dc/attachment-0001.html

More information about the keycloak-dev mailing list