[keycloak-dev] Support for conditional AuthenticationFlowExecution.

Bill Burke bburke at redhat.com
Mon Nov 23 10:49:47 EST 2015


"Alternative" flows/authenticators should allow you to do this.  It 
might look/be a little awkward, but it should allow you to do 
conditionals.  Notice that Username/Password is "Alternative".  This 
means its not executed if Cookie is successful.  You can nest this stuff 
too.

Its not the greatest, but I wanted to avoid anything too complex that 
required a lot of UI work and/or some kind of scripting engine.

On 11/23/2015 10:43 AM, Thomas Darimont wrote:
> Hello group,
>
>
> this is my first post on this mailinglist and I want to say thank you
> for this awesome project!
>
> I had a look at many IDM / SSO solutions before and Keycloak provided
> the best out-of-the box
>
> experience so far!
>
>
> I posted the following in the JIRA initially but Stian Thorgersen asked
> me to post this
>
> on the mailing list as well.
>
>
> Scenario:
>
> Support for conditional AuthenticationFlowExecution.
>
>
> Often some authentication flow steps should only be executed under
> certain conditions,
>
> e.g. somtimes a TOTP based auth step is only required of requests come
> with a
>
> certain request header value.
>
> It would be cool if one could configure a condition on the
> AuthenticationFlowExecution
>
> (if I'm not mistaken) that if evaluated to true would execute or skip a
> particular authentication step.
>
> This could perhaps be configured via the admin console in the
> Authentication -> Flows tab.
>
> Conditions could perhaps be simple JavaScript expressions that could be
> evaluated via the built-in JavaScript ScriptEngine.
>
> For this it would be useful to provide a set of "standard" functions
> that can be called from the expressions (perhaps based on a whitelist).
>
> Admins should also be able to define their custom functions.
>
> The context could provide access to the current http request, current
> user, the requested client application and perhaps the keycloak
> configuration.
>
>
> The issue: https://issues.jboss.org/browse/KEYCLOAK-2108
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the keycloak-dev mailing list