You're right, we don't have this right now. I don't know if it's something we should support OOTB. The idea of broker login is, that you delegate authentication to another SSO/social server. Once the second server say "Ok, user is authenticated", we treat him as authenticated on Keycloak side too. Isn't it the more proper option for your usecase to use OTP on the second server side instead?

Another option is to implement IdentityProviderMapper and in "updateBrokeredUser" method, you will redirect user to OTP login. Could you try this?


If we want to support another login flow triggered after each broker login (which I am not convinced TBH), we can either:

1) Introduce "post-broker-login" flow, which will be configurable per IdentityProvider. By default, it will be empty .

2) Use just one flow, which will be triggered after each broker login (current "first broker login" flow is triggered only if federatedIdentity doesn't yet exist in Keycloak). In this case, the current "first broker login" flow will need to be renamed to "broker login" and more logic will need to be moved from IdentityBrokerService to the flow itself. The disadvantage of this option is, that it may always require another redirect to trigger authentication flows. But we're trying to reduce the number of redirects ( https://issues.jboss.org/browse/KEYCLOAK-2098 )

Marek

On 20/11/15 00:06, Dane Barentine wrote:

Hi all,

 

I’m trying to add a custom authenticator and it appears that that there is no way to insert it in the flow if it’s a brokered IDP login where the linked Keycloak account already exists.

 

If it’s a local Keycloak user I can use the Browser flow and if it’s a new brokered user the First Broker Login flow will execute. But I don’t see a flow that would allow me to insert something like OTP after a brokered login of an existing user.

 

If I’m just missing it let me know but I think there needs to be some sort of flow for brokered logins that runs on both existing and new users. For new users it would run after the First Broker Login flow. Or better yet maybe a flow that would allow things such as OTP to happen after any brokered or local login. That way it wouldn’t have to be configured in multiple flows.

 

Thanks

Dane



_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev