[keycloak-dev] Proposal: Improvements to IdpUsernamePasswordForm

Hi, I'm currently working to implement the following requirements: - users are managed externally via LDAP, self-registrations disabled; - there is an external IdP; - generally, there is no way to automatically match IdP identity with Keycloak's one, so IdP linking will always be performed by the user manually; - in order to do that, the user should click the IdP icon in the login screen, authenticate with the IdP, get back to Keycloak and "claim" his/her Keycloak account by entering correct username and password. Currently, the closest thing in Keycloak is o.k.authentication.authenticators.broker.IdpUsernamePasswordForm (aka "idp-username-password-form", aka "Username Password Form for identity provider reauthentication"). However, it 1) prefills username field and makes it non-editable, 2) depends on the preceding IdpCreateUserIfUniqueAuthenticator execution to provide existing user model (EXISTING_USER_INFO auth note). My proposal is to improve IdpUsernamePasswordForm by allowing its execution even without the preceding IdpCreateUserIfUniqueAuthenticator. In the absence of EXISTING_USER_INFO, IdpUsernamePasswordForm should allow the user to manually enter username. Please let me know if you think it's worth having this in Keycloak. Regards, Dmitry