Hi Yann,
Is the OTP Forms execution inside the subflow? Could you please attach a screenshot of the
overall flow?
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Thu, 2018-07-26 at 09:12 +0000, Yann Jouanin wrote:
Hello,
Thanks for your reply.
Indeed I managed to write the function attached in javascript and I was able to redirect
to an IdP for specific domains.
I have an additional question, I there a way to continue the flow (In my case I would
like to optionaly prompt for OTP).
My current flow is:
"cookies"(alternative)
" Choose User"(required)
Script(select idp) (required) (the script redirect to idp for a domains, otherwise
triggers context.success) Subflow forms(optional):
- Username Password Form (required)
OTP Form (optional).
Did I misunderstood the flow usage? Now when a user is authenticated using my idp but has
an OTP, the OTP is not prompted.
Best regards ,
Yann
-------- FUNCTIONS ---------
Authenticate function:
function authenticate(context) {
var username = user ? user.username : "anonymous";
if (username.endsWith("mydomain.com")) {
redirect_to_idp(context, "idpformydomain");
return;
}
context.success();
return;
}
Function:
AuthenticationFlowError =
Java.type("org.keycloak.authentication.AuthenticationFlowError");
ClientSessionCode =
Java.type("org.keycloak.services.managers.ClientSessionCode");
Urls = Java.type("org.keycloak.services.Urls");
OAuth2Constants = Java.type("org.keycloak.OAuth2Constants");
Response = Java.type("javax.ws.rs.core.Response");
/**
* Redirect to Identification provider
*
> * @param context {@see org.keycloak.authentication.AuthenticationFlowContext}
* @param providerId : the alias of the provider to use */
function redirect_to_idp(context, providerId) {
var identityProviders = context.getRealm().getIdentityProviders();
var identityProvidersLen = identityProviders.length;
for (var i = 0; i < identityProvidersLen; i++) {
identityProvider = identityProviders[i];
if (identityProvider.isEnabled() &&
providerId.equals(identityProvider.getAlias())) {
var accessCode = new ClientSessionCode(context.getSession(),
context.getRealm(), context.getAuthenticationSession()).getOrGenerateCode();
var clientId = context.getAuthenticationSession().getClient().getClientId();
var tabId = context.getAuthenticationSession().getTabId();
var location =
Urls.identityProviderAuthnRequest(context.getUriInfo().getBaseUri(), providerId,
context.getRealm().getName(), accessCode, clientId, tabId);
if (context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY)
!= null)
{
location =
UriBuilder.fromUri(location).queryParam(OAuth2Constants.DISPLAY,
context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY)).build();
}
var response = Response.seeOther(location).build();
LOG.info("Redirecting to %s" + providerId);
context.forceChallenge(response);
return;
}
}
}
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user