[keycloak-user] Switch User enhancement - How best to modify Browser Flow

Hi Keycloak Users, I'm looking for suggestions on ways to configure a Keycloak realm to allow Kerberos SPNEGO, but at the same time also allow switching users. I've made some suggestions to the existing enhancement JIRA here: https://issues.jboss.org/browse/KEYCLOAK-1727 I'd like to consider a "continue as $username" button in the event SPNEGO worked instead of automatically returning successful login. I'm looking at the Authentication API and Browser Flow docs: https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi Perhaps we could create a "Check if SPNEGO Worked and Prompt to Confirm" Authenticator and assign it an Execution Requirement of "Required", and configure the Browser Login flow to include the new Authenticator after the Kerberos Execution, but before the Forms subflow. The logic in the new Authentictor might look like: if(SPNEGO worked) { // Show special form with button labeled "Continue as $username" beside a regular username/password form. This way user can choose to switch users or just continue as the OS user. else { // Continue with regular form subflow as usual. } Does the Authenticator API support this? Thanks, Ryan