Re: [keycloak-user] Alternative client-cert authentication

Hi Nikola, Try this: Auth type Requirement Type X509 ALTERNATIVE Flow ==> X509/Validate Username Form ALTERNATIVE (execution step, X509 flow) ==> Browser Forms ALTERNATIVE (sub-flow, X509 flow) ====> Username Password Form REQUIRED (execution step, Browser Forms flow) -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org&gt; On Behalf Of Nikola Malenic Sent: Tuesday, July 24, 2018 9:22 AM To: keycloak-user(a)lists.jboss.org Subject: [keycloak-user] Alternative client-cert authentication I am configuring browser flow and would like to provide users with certificates with capability to login immediately. Users which don't have (send) certificate should be able to login with username+password (form would be presented to them). I configured two ALTERNATIVE subflows inside browser flow. First subflow has X509/Validate Username Form execution as ALTERNATIVE and second flow has Username Password Form as REQUIRED. The problem is that when I access admin console I am not shown form to enter username and password since I didn't send certificate. I get this error: "Invalid username or password.". It seems that the second flow is automatically executed, but since I didn't send username and password it finishes unsuccessfully. Do you have any idea how to configure this. Many thanks, Nikola _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user