<div dir="ltr">Hello Bill<div><br></div><div>it worked, but slightly different from you suggestion - thanks for the help! For some reason when I put my authenticator inside a flow it was not working as alternative, but outside of it worked. So my flow had to be changed as below:</div><div dir="ltr"><p style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif">* Cookie Authenticator<br></p><p><s><span style="font-size:10pt;line-height:115%;font-family:helvetica,sans-serif;color:rgb(33,33,33);background-image:initial;background-position:initial;background-repeat:initial">* create
an ALTERNATIVE sub flow</span></s></p></div><div dir="ltr"><div><p style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif"> * <s><span style="font-size:10pt;line-height:115%;font-family:helvetica,sans-serif;background-image:initial;background-position:initial;background-repeat:initial">REQUIRED</span></s> Add Execution (outisde of flow) as ALTERNATIVE Account Chooser Custom authenticator page - success call AuthFlowContext.success() otherwise AuthFLowContext.attempted(). </p></div></div><div dir="ltr"><div><p style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif">* create ALTERNATIVE sub flow (Forms)</p><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif"> * REQUIRED built in username/password authenticator</span> <br></div><div><br></div><div>Cheers</div><div><br></div><div>filipe</div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Aug 18, 2016 at 4:10 PM Bill Burke <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Filipe, wouldn't you just have your Client Cert Authenticator be
alternative and just use the "Forms" sub-flow structure that
exists in the built in "Browser" flow?<br>
</p></div><div bgcolor="#FFFFFF" text="#000000">
<br>
<div>On 8/18/16 2:33 PM, Filipe Lautert
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello
<div><br>
</div>
<div>I've a similar case to this one, but instead of using an
account page I use the ssl client certificate passed by
Apache. I set up everything as the example you provided, but
even if in my "<span>Account
Chooser Custom authenticator" I call </span><span>AuthFlowContext.success()
it is still showing me the username/password form from the
next alternative flow.</span></div>
<div><span><br>
</span></div>
<div><span>I worked around it
creating a class called </span><font style="font-size:13px;line-height:1.5" face="open sans,
helvetica, arial, sans-serif" color="#333333"><span style="line-height:20px">AlternativeUsernamePasswordFormFactory
that extends UsernamePasswordFormFactory, and the only
change that I did to it was to add
the AuthenticationExecutionModel.Requirement.ALTERNATIVE
to the REQUIREMENT_CHOICES . Now, if I set this new auth
type as alternative in Keycloak, it does what I want.</span></font><br>
</div>
<div>
<div><font face="open sans, helvetica, arial, sans-serif" color="#333333"><span style="line-height:20px"><br>
</span></font></div>
<div><font face="open sans, helvetica, arial, sans-serif" color="#333333"><span style="line-height:20px">So my
questions are: am I missing something to mark my
Authenticator as sufficient to end the flow and return
to the client? if not, is there a reason why </span></font><span>UsernamePasswordFormFactory
doesn't provide the ALTERNATIVE option, and can it be
added to this class?</span></div>
</div>
<div><span><br>
</span></div>
<div><span>I'm
posting this again os this thread as Ray may face the same
issue soon...</span></div>
<div><span><br>
</span></div>
<div><span>Cheers</span></div>
<div><span><br>
</span></div>
<div><span>filipe</span></div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, Aug 17, 2016 at 6:38 PM Bill Burke <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>You would need to create a custom authenticator that is
like an account chooser page, i.e. two buttons one says
"login to kerberos" the other says "login to ldap".</p>
<p>A custom flow would look like this:</p>
<p>* Cookie Authenticator<br>
</p>
* create an ALTERNATIVE sub flow
<p> * REQUIRED Account Chooser Custom authenticator page
- if the kerberos button is clicked, call
AuthFlowContext.success() otherwise
AuthFLowContext.attempted(). Attempted will abort this
alternative flow<br>
</p>
* REQUIRED Built in Kerberos Authenticator
<p>* create another ALTERNATIVE sub flow</p>
* REQUIRED built in username/password authenticator</div>
<div bgcolor="#FFFFFF" text="#000000"><br>
<br>
<div>On 8/17/16 4:05 PM, Zhou, Limin (Ray) wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal">Hello</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Right now our keycloak server was
setup to do kerberos authentication with ldap as
backup, so in this case, the user will get them in
automatically </p>
<p class="MsoNormal">from the company domain when they
hitting the URL, we have application role
definitions in the keycloak, if the user does not
have the role configured </p>
<p class="MsoNormal">then we want to logout them back
to the default key cloack login page and let them
try their LDAP user account.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">But because kerberos
authentication is always on the top, so right after
we logout the user, the kerberos will let them in
automatically</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">right now we are using
keycloak.logout from keycloak.js to logout user</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I am wondering what is the good
practice to achieve this?</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Any suggestions are welcome</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">thanks</p>
<p class="MsoNormal">raymond</p>
</div>
<hr> <font face="Arial" color="Black">Moneris Solutions
Corporation | 3300 Bloor Street West | Toronto |
Ontario | M8X 2X2 | Canada <a href="http://www.moneris.com" target="_blank">www.moneris.com</a>
1-866-319-7450 <br>
If you wish to unsubscribe from future updates from
Moneris, please click <a href="https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx" target="_blank">here</a>. Please see the Moneris
Privacy Policy <a href="http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx" target="_blank"> here</a>. <br>
<br>
This e-mail may be privileged and/or confidential, and
the sender does not waive any related rights and
obligations. Any distribution, use or copying of this
e-mail or the information it contains by other than an
intended recipient is unauthorized. If you received
this e-mail in error, please advise me (by return
e-mail or otherwise) immediately.
<hr> Corporation Solutions Moneris | 3300, rue Bloor
Ouest | Toronto | Ontario | M8X 2X2 | Canada <a href="http://www.moneris.com" target="_blank">www.moneris.com</a> 1-866-319-7450 <br>
Si vous désirez enlever votre nom de la liste d’envoi
de Moneris, veuillez cliquer <a href="https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA" target="_blank">ici</a>. Veuillez consulter la
Politique de confidentialité de Moneris <a href="http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20" target="_blank">ici</a>. <br>
<br>
Ce courriel peut contenir des renseignements
confidentiels ou privilégiés, et son expéditeur ne
renonce à aucun droit ni à aucune obligation connexe.
La distribution, l’utilisation ou la reproduction du
présent courriel ou des renseignements qu’il contient
par une personne autre que son destinataire prévu sont
interdites. Si vous avez reçu ce courriel par erreur,
veuillez m’en aviser immédiatement (par retour de
courriel ou autrement). </font> <br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote>
</div>
</div>
<div dir="ltr">-- <br>
</div>
<div data-smartmail="gmail_signature">
<div dir="ltr">filipe lautert</div>
</div>
</blockquote>
<br>
</div></blockquote></div></div><div dir="ltr">-- <br></div><div data-smartmail="gmail_signature"><div dir="ltr">filipe lautert</div></div>