<div dir="ltr">Hello <div><br></div><div>I've a similar case to this one, but instead of using an account page I use the ssl client certificate passed by Apache. I set up everything as the example you provided, but even if in my "<span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5">Account Chooser Custom authenticator" I call </span><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5">AuthFlowContext.success() it is still showing me the username/password form from the next alternative flow.</span></div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;line-height:1.5"><br></span></div><div><span style="font-size:13px;line-height:20px;color:rgb(51,51,51);font-family:"open sans",helvetica,arial,sans-serif">I worked around it creating a class called </span><font color="#333333" face="open sans, helvetica, arial, sans-serif" style="font-size:13px;line-height:1.5"><span style="line-height:20px">AlternativeUsernamePasswordFormFactory that extends UsernamePasswordFormFactory, and the only change that I did to it was to add the AuthenticationExecutionModel.Requirement.ALTERNATIVE to the REQUIREMENT_CHOICES . Now, if I set this new auth type as alternative in Keycloak, it does what I want.</span></font><br></div><div><div style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;font-size:13px"><font color="#333333" face="open sans, helvetica, arial, sans-serif"><span style="line-height:20px"><br></span></font></div><div style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;font-size:13px"><font color="#333333" face="open sans, helvetica, arial, sans-serif"><span style="line-height:20px">So my questions are: am I missing something to mark my Authenticator as sufficient to end the flow and return to the client? if not, is there a reason why </span></font><span style="color:rgb(51,51,51);font-family:"open sans",helvetica,arial,sans-serif;line-height:20px">UsernamePasswordFormFactory doesn't provide the ALTERNATIVE option, and can it be added to this class?</span></div></div><div style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;font-size:13px"><span style="color:rgb(51,51,51);font-family:"open sans",helvetica,arial,sans-serif;line-height:20px"><br></span></div><div style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;font-size:13px"><span style="color:rgb(51,51,51);font-family:"open sans",helvetica,arial,sans-serif;line-height:20px">I'm posting this again os this thread as Ray may face the same issue soon...</span></div><div style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;font-size:13px"><span style="color:rgb(51,51,51);font-family:"open sans",helvetica,arial,sans-serif;line-height:20px"><br></span></div><div style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;font-size:13px"><span style="color:rgb(51,51,51);font-family:"open sans",helvetica,arial,sans-serif;line-height:20px">Cheers</span></div><div style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;font-size:13px"><span style="color:rgb(51,51,51);font-family:"open sans",helvetica,arial,sans-serif;line-height:20px"><br></span></div><div style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif;font-size:13px"><span style="color:rgb(51,51,51);font-family:"open sans",helvetica,arial,sans-serif;line-height:20px">filipe</span></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Aug 17, 2016 at 6:38 PM Bill Burke <<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>You would need to create a custom authenticator that is like an
account chooser page, i.e. two buttons one says "login to
kerberos" the other says "login to ldap".</p>
<p>A custom flow would look like this:</p>
<p>* Cookie Authenticator<br>
</p>
* create an ALTERNATIVE sub flow
<p> * REQUIRED Account Chooser Custom authenticator page - if the
kerberos button is clicked, call AuthFlowContext.success()
otherwise AuthFLowContext.attempted(). Attempted will abort this
alternative flow<br>
</p>
* REQUIRED Built in Kerberos Authenticator
<p>* create another ALTERNATIVE sub flow</p>
* REQUIRED built in username/password authenticator</div><div bgcolor="#FFFFFF" text="#000000"><br>
<br>
<div>On 8/17/16 4:05 PM, Zhou, Limin (Ray)
wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal">Hello<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Right now our keycloak server was setup to
do kerberos authentication with ldap as backup, so in this
case, the user will get them in automatically
<u></u><u></u></p>
<p class="MsoNormal">from the company domain when they hitting
the URL, we have application role definitions in the keycloak,
if the user does not have the role configured
<u></u><u></u></p>
<p class="MsoNormal">then we want to logout them back to the
default key cloack login page and let them try their LDAP user
account.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">But because kerberos authentication is
always on the top, so right after we logout the user, the
kerberos will let them in automatically<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">right now we are using keycloak.logout from
keycloak.js to logout user<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I am wondering what is the good practice to
achieve this?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Any suggestions are welcome<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">thanks<u></u><u></u></p>
<p class="MsoNormal">raymond<u></u><u></u></p>
</div>
<hr>
<font face="Arial" color="Black">Moneris Solutions
Corporation | 3300 Bloor Street West | Toronto | Ontario | M8X
2X2 | Canada <a href="http://www.moneris.com" target="_blank">www.moneris.com</a> 1-866-319-7450
<br>
If you wish to unsubscribe from future updates from Moneris,
please click <a href="https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx" target="_blank">here</a>.
Please see the Moneris Privacy Policy <a href="http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx" target="_blank">
here</a>. <br>
<br>
This e-mail may be privileged and/or confidential, and the
sender does not waive any related rights and obligations. Any
distribution, use or copying of this e-mail or the information
it contains by other than an intended recipient is unauthorized.
If you received this e-mail in error, please advise me (by
return e-mail or otherwise) immediately.
<hr>
Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto
| Ontario | M8X 2X2 | Canada <a href="http://www.moneris.com" target="_blank">www.moneris.com</a> 1-866-319-7450
<br>
Si vous désirez enlever votre nom de la liste d’envoi de
Moneris, veuillez cliquer
<a href="https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA" target="_blank">ici</a>.
Veuillez consulter la Politique de confidentialité de Moneris <a href="http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20" target="_blank">ici</a>.
<br>
<br>
Ce courriel peut contenir des renseignements confidentiels ou
privilégiés, et son expéditeur ne renonce à aucun droit ni à
aucune obligation connexe. La distribution, l’utilisation ou la
reproduction du présent courriel ou des renseignements qu’il
contient par une personne autre que son destinataire prévu sont
interdites. Si vous avez reçu ce courriel par erreur, veuillez
m’en aviser immédiatement (par retour de courriel ou autrement).
</font>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote></div></div><div dir="ltr">-- <br></div><div data-smartmail="gmail_signature"><div dir="ltr">filipe lautert</div></div>