For more complicated conditional workflows like this, you can always use clientSession notes and save/read the state from here. For example authenticator1 will call something like this if "particular case" happened:

clientSession.setNote("someNote", "particularCaseHappened");

And authenticator2 can then use something like this in the beginning of method "authenticate" :

if ("particularCaseHappened".equals(clientSession.getNote("someNote") {
    log.info("Ignoring this authenticator based on fact that 'particular case' from authenticator1 happened");
    context.attempted();
    return;
}

Marek

On 09/06/16 03:48, Rashmi Singh wrote:
I have one more question on this. I have my own implementation of two authenticators now: Username Authenticator (REQUIRED) and OTP authenticator (OPTIONAL) under an ALTERNATIVE subflow. The second optional authenticator has Authenticator.configuredFor returns false (I have this because I do not want this to be invoked only when the user is set in the context already). Now, the second authenticator is invoked which is good. But, there is one case in my usernamePassword Authenticator for which the optional OTPAuthenticator should not be invoked. Can this be achieved? Other than that case, OTP authenticator should be invoked as now. Can I stop this second optional OTPAuthenticator from being invoked for a particular case in my UsernamePassword authenticator?

On Wed, Jun 8, 2016 at 2:04 PM, Rashmi Singh <singhrasster@gmail.com> wrote:
OK, I am clear about this point now. It does enter the second optional authenticator, so it is good now. Thank you

On Wed, Jun 8, 2016 at 10:43 AM, Rashmi Singh <singhrasster@gmail.com> wrote:
In general, if we have any two authenticators under ALTERNATIVE flow, the second being OPTIONAL, is the optional one invoked only when context.setUser(user) is set in the first authenticator? otherwise, the second OPTIONAL authenticator is never invoked (irrespective of whether Authenticator.configuredFor returns true or false) at all? Is there a way to invoke the optional authenticator even when context.setUser(user) was never done in the first authenticator?

On Wed, Jun 8, 2016 at 5:21 AM, Marek Posolda <mposolda@redhat.com> wrote:
Currently the OPTIONAL means that authenticator is used just if it's configured for particular user ( Authenticator.configuredFor returns true for that user). In case of OTP, it means that OTP form is shown just if OTP is configured for particular user.

It looks that OPTIONAL authenticator needs to return "requiresUser" with true, otherwise if it doesn't require user the error will be returned (even if authenticator is OPTIONAL).

Marek


On 07/06/16 17:29, Rashmi Singh wrote:
From the keycloak documentation and https://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html

it is not very clear to me what the OPTIONAL setting for an execution mean.

For example, when we have the following:



When can it enter the Optional OTP form? Do we need to add some code (some condition ?) in the UsernamePasswordAuthentication Code, so it enters the optional OTP form authenticator? Or something else? I am not so clear about the concept of this optional field and how to enter it. Can someone please explain this in detail?


_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev