[keycloak-user] prompt=login does not override Kerberos

[Ryan Slominski]

My understanding is sending the parameter prompt=login to the Keycloak authentication URL should force the login form and re-authentication.  However, if Kerberos SPNEGO is available it ignores this parameter and logs the user in without showing a login form.  Is this a bug?  I guess currently the prompt=login is only honored by the cookie execution in the browser flow?

Another possible bug: if you create a copy of the browser flow and swap the order of the Kerberos execution with the Identity Provider Redirector execution then Kerberos SPNEGO authentication won't work (fails with checksum error).  

Combine both issues and it means you can not selectively force some users to use a particular identity broker while sending others to another.  With the normal browser flow if a user has Kerberos SPNEGO credentials then they will ignore the kc_idp_hint parameter as the Kerberos execution comes before the IDP redirect.  If you configure an alternative browser flow where the IDP redirect execution comes before the Kerberos execution then users without the kc_idp_hint who legitimately should login automatically via Kerberos SPNEGO will fail to do so because it appears having IDP redirect execution first breaks the SPNEGO process.  Anyone else run into this?