Option 1 should be done for sure.
Option 2 I think we should do. Shouldn't be to hard to have some sort of
flag in the authentication session to mark if something has happened or not?
Option 3 we could consider in the future, but I would do it with a link on
the forms with something like "Login as a different users" or something to
indicate to the user that they want to start from scratch again.
On 24 November 2017 at 15:03, Marek Posolda <mposolda(a)redhat.com> wrote:
I am not sure when exactly we want to retry the alternative
authenticators like kerberos or X509? The possibilities are:
1) When user opens the secured application URL (which will redirect him
to Keycloak initial OIDC/SAML Authorization endpoint)
2) When user press browser "refresh" on username/password screen
3) When user press browser "refresh" on TOTP (or any possible additional
authenticator screen after username/password was already SUCCESS)
I wouldn't do 3. It would be likely complicated to implement when
thinking various corner cases (browser back/refresh/forward buttons,
authenticator state etc). And usability also won't help much IMO...
1 will be easier to implement. Is it sufficient or do we want also 2?
The 2 is possible but maybe harder to do, we will need to track whether
there was some successful action OR whether some authenticator is
already in state SUCCESS.
Dne 23.11.2017 v 12:15 Bruno Oliveira napsal(a):
> Good morning,
> For alternative flows like X509 browser, if something goes wrong
> it will fall back to username/password form, as we already know.
> But the flow is not executed again until the browser is closed.
> Based on what Stian commented, seems like the same applies to
> Kerberos. To fix this, we need to change the way how it works today,
> by going through the list of all alternative flows on refresh,
> executing them again.
> Does it make sense? Should we have Jira as "enhancement" for this?
>  - https://issues.jboss.org/browse/KEYCLOAK-5466
keycloak-dev mailing list