I created two subflows under a flow "test", and added an execution for the
authenticator under each subflow:
Subflow1 (ALTERNATIVE)
Authenticator1 (REQUIRED)
Subflow2 (ALTERNATIVE)
Authenticator2 (REQUIRED)
In Authenticator1, I set
context.attempted();
return;
in authenticate() method
Login seem to be cancelled/failed in authenticator1. However, it does not
seem to enter the authenticator2:
The logs I see on the console looks like:
11:56:33,261 INFO [org.keycloak.services] (default task-28) Authenticator
- authenticator1
11:56:33,263 WARN [org.keycloak.events] (default task-28)
type=LOGIN_ERROR, realmId=testrealm, clientId=account, userId=null,
ipAddress=127
.0.0.1, error=invalid_user_credentials, auth_method=openid-connect,
auth_type=code, response_type=code, redirect_uri=http://localhost:8080/a
uth/realms/testrealm/account/login-redirect,
code_id=bdbd40d3-33b0-42e7-a46b-f61e5fd7e303, response_mode=query
Could you please point what I am doing wrong here that it does not enter
the authenticator2 under subflow2?
On Thu, May 19, 2016 at 4:12 PM, Rashmi Singh <singhrasster(a)gmail.com>
wrote:
I will try this out. Thanks for this. I have another question on
this. To
me, it looks like it will work in switching to authentication providers
down in the chain (by letting us skip the ones in between), but what if we
want to switch to an authentication provider up? For example, from
authenticator1, we switch to authenticator4, and then we want to switch to
authenticator2 (back up in the chain), can this be achieved?
On Thu, May 19, 2016 at 3:06 PM, Marek Posolda <mposolda(a)redhat.com>
wrote:
> For example you can create 2 subflows of the top flow and mark them as
> ALTERNATIVE. Then if you create "children" execution of subflow1 pointing
> to your authenticator inside it, then in the code of your authenticator you
> can switch the state to ATTEMPTED and if the authenticator execution is
> required, it will cancel subflow1 and go to subflow2. At least I hope it
> will work like this :-)
>
> If you want some more complex logic and dependency of authenticator on
> the state of other authenticator etc. you can maintain the state inside
> clientSession notes. Then authenticators will be executed in the fixed
> order, but for example in the code of authenticator2 you can do something
> like :
>
> if
>
("true".equals(clientSession.getNote("wasAuthenticator1FinishedSuccessfully"))
> {
> // skip this authenticator2 as authenticator1 already authenticated
> user or did something, which allows you to skip authenticator2 and move
> directly to authenticator3 etc.
> context.attempted();
> return;
> }
>
> etc.
> Marek
>
>
> On 19/05/16 16:31, Rashmi Singh wrote:
>
> Could someone please tell me if this is even possible? I do not want the
> execution engines/authentication providers to be executed in a fixed order
> defined in the admin console. But, need to be able to switch to any in the
> chain depending on some response I get upon invoking an external service. I
> needed to know if this is possible and if yes, then how? Any help would be
> appreciated.
>
> On Wed, May 18, 2016 at 4:21 PM, Rashmi Singh <singhrasster(a)gmail.com>
> wrote:
>
>> Thanks a lot for your response. I went through the chapter. What I
>> understand is we can create multiple executions (authentication providers)
>> but they are executed in a serial fashion in a fixed order defined. Is
>> there a way to be able to switch between them (so, not have it executed in
>> the default serial way but depending on the response we get from an
>> external service we called, we can switch to the corresponding one). Any
>> ideas?
>>
>> On Tue, May 17, 2016 at 3:49 AM, Marek Posolda < <mposolda(a)redhat.com>
>> mposolda(a)redhat.com> wrote:
>>
>>> The docs is here :
>>>
http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>>>
>>> We have also example for authentication SPI. Note that you can create
>>> sub-flows in the "top" flow, which might be a way to split the
>>> authenticator into multiple ones. For example see "Forms" flow in
default
>>> "Browser" flow. Also maybe you will need to implement some logic
>>> programatically in your authenticators based on various conditions etc.
>>> Depends on the usecase though...
>>>
>>> Marek
>>>
>>>
>>> On 16/05/16 23:52, Rashmi Singh wrote:
>>>
>>> Hi,
>>>
>>> I am looking for a way to do authentication provider chaining with
>>> keycloak. Basically, I want to have multiple authentication providers,
>>> example username, Suregrid etc. On submitting username, we call a service
>>> and if that service tells us to use SureGrid, then we should be able to
>>> pass control to the corresponding authentication provider. So basically, I
>>> want to spilt one authentication provider into multiple and be able to
>>> chain them based on the response from the service called. I have not found
>>> any documentation that explains this. Could you suggest how to achieve this?
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing
listkeycloak-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>>
>>
>
>