[keycloak-user] Alternative client-cert authentication
Nalyvayko, Peter
pnalyvayko at agi.com
Tue Jul 24 13:03:12 EDT 2018
Hi Nikola,
Try this:
Auth type Requirement Type
X509 ALTERNATIVE Flow
==> X509/Validate Username Form ALTERNATIVE (execution step, X509 flow)
==> Browser Forms ALTERNATIVE (sub-flow, X509 flow)
====> Username Password Form REQUIRED (execution step, Browser Forms flow)
-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Nikola Malenic
Sent: Tuesday, July 24, 2018 9:22 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Alternative client-cert authentication
I am configuring browser flow and would like to provide users with certificates with capability to login immediately.
Users which don't have (send) certificate should be able to login with
username+password (form would be presented to them).
I configured two ALTERNATIVE subflows inside browser flow. First subflow has X509/Validate Username Form execution as ALTERNATIVE and second flow has Username Password Form as REQUIRED.
The problem is that when I access admin console I am not shown form to enter username and password since I didn't send certificate. I get this error:
"Invalid username or password.".
It seems that the second flow is automatically executed, but since I didn't send username and password it finishes unsuccessfully.
Do you have any idea how to configure this.
Many thanks,
Nikola
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list