[keycloak-user] Alternative sub flow

Matt Evans mevans at aconex.com
Tue Mar 21 18:12:00 EDT 2017 

Our setup is that SMS is a backup for OTP, so to enable OTP the user also has to provide a mobile phone for SMS. I was trying to configure it to show OTP first and only move to SMS if OTP returns 'attempted'. I was going for similar to how the cookie authenticator works.

I hadn't got to looking at how to make the whole sub-flow optional, based on whether the user is configured for OTP or not.

>From your comment that it should show the last alternative, I am wondering if what I want to do is possible with the alternative requirement?

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Bill Burke
Sent: Wednesday, 22 March 2017 12:53 AM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Alternative sub flow

I'll need to review our tests, but I think you found a bug.  What should happen is that the SMS's challenge should be rendered as its the last alternative.  I'll have this fixed in next release.

One question though, how is the choice between OTP and SMS decided on?  
If OTP isn't configured, then they have to do SMS?  What if both aren't 
configured?   This is probably another limitation of the auth flow.


On 3/21/17 1:23 AM, Matt Evans wrote:
> Hi
>
> I have been trying to configure a keycloak flow but have not been successful, and I am wondering if what I am trying to do is possible.
>
> We have the standard flows
>
> Cookie
> Kerberos
> Identity Provider Redirector
> Browser
>
> Inside the Browser flow we have
> Username Password Form
> 2SV - sub flow required
>                  OTP execution - alternative
>                  SMS execution - alternative
>
> The OTP and SMS executions are custom authenticators, that I'd like to have at least one of them.
>
> With this configuration I can see the OTP authenticator returns a form from the challenge method, but it doesn't show the form. The authentication just passes and I am logged in without asking for either the otp or the sms code.
>
> Can I use the alternative requirements in this way?
>
> Matt
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list