12:23 a.m.
Hi
I have been trying to configure a keycloak flow but have not been successful, and I am
wondering if what I am trying to do is possible.
We have the standard flows
Cookie
Kerberos
Identity Provider Redirector
Browser
Inside the Browser flow we have
Username Password Form
2SV - sub flow required
OTP execution - alternative
SMS execution - alternative
The OTP and SMS executions are custom authenticators, that I'd like to have at least
one of them.
With this configuration I can see the OTP authenticator returns a form from the challenge
method, but it doesn't show the form. The authentication just passes and I am logged
in without asking for either the otp or the sms code.
Can I use the alternative requirements in this way?
Matt
8:53 a.m.
I'll need to review our tests, but I think you found a bug. What should
happen is that the SMS's challenge should be rendered as its the last
alternative. I'll have this fixed in next release.
One question though, how is the choice between OTP and SMS decided on?
If OTP isn't configured, then they have to do SMS? What if both aren't
configured? This is probably another limitation of the auth flow.
On 3/21/17 1:23 AM, Matt Evans wrote:
Hi
I have been trying to configure a keycloak flow but have not been successful, and I am
wondering if what I am trying to do is possible.
We have the standard flows
Cookie
Kerberos
Identity Provider Redirector
Browser
Inside the Browser flow we have
Username Password Form
2SV - sub flow required
OTP execution - alternative
SMS execution - alternative
The OTP and SMS executions are custom authenticators, that I'd like to have at least
one of them.
With this configuration I can see the OTP authenticator returns a form from the challenge
method, but it doesn't show the form. The authentication just passes and I am logged
in without asking for either the otp or the sms code.
Can I use the alternative requirements in this way?
Matt
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:12 p.m.
Our setup is that SMS is a backup for OTP, so to enable OTP the user also has to provide a
mobile phone for SMS. I was trying to configure it to show OTP first and only move to SMS
if OTP returns 'attempted'. I was going for similar to how the cookie
authenticator works.
I hadn't got to looking at how to make the whole sub-flow optional, based on whether
the user is configured for OTP or not.
From your comment that it should show the last alternative, I am
wondering if what I want to do is possible with the alternative requirement?
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Bill Burke
Sent: Wednesday, 22 March 2017 12:53 AM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Alternative sub flow
I'll need to review our tests, but I think you found a bug. What should happen is
that the SMS's challenge should be rendered as its the last alternative. I'll
have this fixed in next release.
One question though, how is the choice between OTP and SMS decided on?
If OTP isn't configured, then they have to do SMS? What if both aren't
configured? This is probably another limitation of the auth flow.
On 3/21/17 1:23 AM, Matt Evans wrote:
Hi
I have been trying to configure a keycloak flow but have not been successful, and I am
wondering if what I am trying to do is possible.
We have the standard flows
Cookie
Kerberos
Identity Provider Redirector
Browser
Inside the Browser flow we have
Username Password Form
2SV - sub flow required
OTP execution - alternative
SMS execution - alternative
The OTP and SMS executions are custom authenticators, that I'd like to have at least
one of them.
With this configuration I can see the OTP authenticator returns a form from the challenge
method, but it doesn't show the form. The authentication just passes and I am logged
in without asking for either the otp or the sms code.
Can I use the alternative requirements in this way?
Matt
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2843
days inactive
2843
days old
2 comments
2 participants
participants (2)
-
Bill Burke -
Matt Evans