<div dir="ltr">I created two subflows under a flow "test", and added an execution for the authenticator under each subflow:<div><br></div><div>Subflow1 (ALTERNATIVE)</div><div> Authenticator1 (REQUIRED)</div><div>Subflow2 (ALTERNATIVE)</div><div> Authenticator2 (REQUIRED)</div><div><br></div><div>In Authenticator1, I set </div><div><br></div><div>context.attempted();</div><div>return;</div><div><br></div><div>in authenticate() method</div><div><br></div><div>Login seem to be cancelled/failed in authenticator1. However, it does not seem to enter the authenticator2:</div><div><br></div><div>The logs I see on the console looks like:</div><div><br></div><div><div>11:56:33,261 INFO [org.keycloak.services] (default task-28) Authenticator - authenticator1</div><div>11:56:33,263 WARN [org.keycloak.events] (default task-28) type=LOGIN_ERROR, realmId=testrealm, clientId=account, userId=null, ipAddress=127</div><div>.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=<a href="http://localhost:8080/a">http://localhost:8080/a</a></div><div>uth/realms/testrealm/account/login-redirect, code_id=bdbd40d3-33b0-42e7-a46b-f61e5fd7e303, response_mode=query</div></div><div><br></div><div>Could you please point what I am doing wrong here that it does not enter the authenticator2 under subflow2?</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 19, 2016 at 4:12 PM, Rashmi Singh <span dir="ltr"><<a href="mailto:singhrasster@gmail.com" target="_blank">singhrasster@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I will try this out. Thanks for this. I have another question on this. To me, it looks like it will work in switching to authentication providers down in the chain (by letting us skip the ones in between), but what if we want to switch to an authentication provider up? For example, from authenticator1, we switch to authenticator4, and then we want to switch to authenticator2 (back up in the chain), can this be achieved? <br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 19, 2016 at 3:06 PM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>For example you can create 2 subflows
of the top flow and mark them as ALTERNATIVE. Then if you create
"children" execution of subflow1 pointing to your authenticator
inside it, then in the code of your authenticator you can switch
the state to ATTEMPTED and if the authenticator execution is
required, it will cancel subflow1 and go to subflow2. At least I
hope it will work like this <span><span>
:-) </span></span><br>
<br>
If you want some more complex logic and dependency of
authenticator on the state of other authenticator etc. you can
maintain the state inside clientSession notes. Then authenticators
will be executed in the fixed order, but for example in the code
of authenticator2 you can do something like :<br>
<br>
if
("true".equals(clientSession.getNote("wasAuthenticator1FinishedSuccessfully"))
{<br>
// skip this authenticator2 as authenticator1 already
authenticated user or did something, which allows you to skip
authenticator2 and move directly to authenticator3 etc.<br>
context.attempted();<span style="color:#000080;font-weight:bold"><br>
return</span>;
<br>
}<br>
<br>
etc.<span><font color="#888888"><br>
Marek</font></span><div><div><br>
<br>
On 19/05/16 16:31, Rashmi Singh wrote:<br>
</div></div></div><div><div>
<blockquote type="cite">
<div dir="ltr">Could someone please tell me if this is even
possible? I do not want the execution engines/authentication
providers to be executed in a fixed order defined in the admin
console. But, need to be able to switch to any in the chain
depending on some response I get upon invoking an external
service. I needed to know if this is possible and if yes, then
how? Any help would be appreciated.</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, May 18, 2016 at 4:21 PM, Rashmi
Singh <span dir="ltr"><<a href="mailto:singhrasster@gmail.com" target="_blank">singhrasster@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Thanks a lot for your response. I went
through the chapter. What I understand is we can create
multiple executions (authentication providers) but they
are executed in a serial fashion in a fixed order defined.
Is there a way to be able to switch between them (so, not
have it executed in the default serial way but depending
on the response we get from an external service we called,
we can switch to the corresponding one). Any ideas?</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, May 17, 2016 at 3:49
AM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank"></a><a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>The docs is here :
<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html</a><br>
<br>
We have also example for authentication SPI.
Note that you can create sub-flows in the
"top" flow, which might be a way to split the
authenticator into multiple ones. For example
see "Forms" flow in default "Browser" flow.
Also maybe you will need to implement some
logic programatically in your authenticators
based on various conditions etc. Depends on
the usecase though...<br>
<br>
Marek<span><br>
<br>
<br>
On 16/05/16 23:52, Rashmi Singh wrote:<br>
</span></div>
<blockquote type="cite"><span>
<div dir="ltr">Hi,
<div><br>
</div>
<div>I am looking for a way to do
authentication provider chaining with
keycloak. Basically, I want to have
multiple authentication providers,
example username, Suregrid etc. On
submitting username, we call a service
and if that service tells us to use
SureGrid, then we should be able to pass
control to the corresponding
authentication provider. So basically, I
want to spilt one authentication
provider into multiple and be able to
chain them based on the response from
the service called. I have not found any
documentation that explains this. Could
you suggest how to achieve this?</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</span>
<pre>_______________________________________________
keycloak-dev mailing list
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>