For more complicated conditional workflows like this, you can always use
clientSession notes and save/read the state from here. For example
authenticator1 will call something like this if "particular case" happened:
clientSession.setNote("someNote", "particularCaseHappened");
And authenticator2 can then use something like this in the beginning of
method "authenticate" :
if ("particularCaseHappened".equals(clientSession.getNote("someNote")
{
log.info("Ignoring this authenticator based on fact that
'particular case' from authenticator1 happened");
context.attempted();
return;
}
Marek
On 09/06/16 03:48, Rashmi Singh wrote:
I have one more question on this. I have my own implementation of two
authenticators now: Username Authenticator (REQUIRED) and OTP
authenticator (OPTIONAL) under an ALTERNATIVE subflow. The second
optional authenticator has Authenticator.configuredFor returns false
(I have this because I do not want this to be invoked only when the
user is set in the context already). Now, the second authenticator is
invoked which is good. But, there is one case in my usernamePassword
Authenticator for which the optional OTPAuthenticator should not be
invoked. Can this be achieved? Other than that case, OTP authenticator
should be invoked as now. Can I stop this second optional
OTPAuthenticator from being invoked for a particular case in my
UsernamePassword authenticator?
On Wed, Jun 8, 2016 at 2:04 PM, Rashmi Singh <singhrasster(a)gmail.com
<mailto:singhrasster@gmail.com>> wrote:
OK, I am clear about this point now. It does enter the second
optional authenticator, so it is good now. Thank you
On Wed, Jun 8, 2016 at 10:43 AM, Rashmi Singh
<singhrasster(a)gmail.com <mailto:singhrasster@gmail.com>> wrote:
In general, if we have any two authenticators under
ALTERNATIVE flow, the second being OPTIONAL, is the optional
one invoked only when context.setUser(user) is set in the
first authenticator? otherwise, the second OPTIONAL
authenticator is never invoked (irrespective of whether
Authenticator.configuredFor returns true or false) at all? Is
there a way to invoke the optional authenticator even when
context.setUser(user) was never done in the first authenticator?
On Wed, Jun 8, 2016 at 5:21 AM, Marek Posolda
<mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote:
Currently the OPTIONAL means that authenticator is used
just if it's configured for particular user (
Authenticator.configuredFor returns true for that user).
In case of OTP, it means that OTP form is shown just if
OTP is configured for particular user.
It looks that OPTIONAL authenticator needs to return
"requiresUser" with true, otherwise if it doesn't require
user the error will be returned (even if authenticator is
OPTIONAL).
Marek
On 07/06/16 17:29, Rashmi Singh wrote:
> From the keycloak documentation and
>
https://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>
>
> it is not very clear to me what the OPTIONAL setting for
> an execution mean.
>
> For example, when we have the following:
>
> Forms Subflow - ALTERNATIVE
> Username/Password Form - REQUIRED
> OTP Password Form - OPTIONAL
>
>
> When can it enter the Optional OTP form? Do we need to
> add some code (some condition ?) in the
> UsernamePasswordAuthentication Code, so it enters the
> optional OTP form authenticator? Or something else? I am
> not so clear about the concept of this optional field and
> how to enter it. Can someone please explain this in detail?
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> <mailto:keycloak-dev@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev