[keycloak-dev] Optional authenticator inside an alternative subflow, how and when is it invoked?

Rashmi Singh singhrasster at gmail.com
Wed Jun 8 21:48:50 EDT 2016


I have one more question on this. I have my own implementation of two
authenticators now: Username Authenticator (REQUIRED) and OTP authenticator
(OPTIONAL) under an ALTERNATIVE subflow. The second optional authenticator
has Authenticator.configuredFor returns false (I have this because I do not
want this to be invoked only when the user is set in the context already).
Now, the second authenticator is invoked which is good. But, there is one
case in my usernamePassword Authenticator for which the optional
OTPAuthenticator should not be invoked. Can this be achieved? Other than
that case, OTP authenticator should be invoked as now. Can I stop this
second optional OTPAuthenticator from being invoked for a particular case
in my UsernamePassword authenticator?

On Wed, Jun 8, 2016 at 2:04 PM, Rashmi Singh <singhrasster at gmail.com> wrote:

> OK, I am clear about this point now. It does enter the second optional
> authenticator, so it is good now. Thank you
>
> On Wed, Jun 8, 2016 at 10:43 AM, Rashmi Singh <singhrasster at gmail.com>
> wrote:
>
>> In general, if we have any two authenticators under ALTERNATIVE flow, the
>> second being OPTIONAL, is the optional one invoked only when
>> context.setUser(user) is set in the first authenticator? otherwise, the
>> second OPTIONAL authenticator is never invoked (irrespective of whether Authenticator.configuredFor
>> returns true or false) at all? Is there a way to invoke the optional
>> authenticator even when context.setUser(user) was never done in the first
>> authenticator?
>>
>> On Wed, Jun 8, 2016 at 5:21 AM, Marek Posolda <mposolda at redhat.com>
>> wrote:
>>
>>> Currently the OPTIONAL means that authenticator is used just if it's
>>> configured for particular user ( Authenticator.configuredFor returns true
>>> for that user). In case of OTP, it means that OTP form is shown just if OTP
>>> is configured for particular user.
>>>
>>> It looks that OPTIONAL authenticator needs to return "requiresUser" with
>>> true, otherwise if it doesn't require user the error will be returned (even
>>> if authenticator is OPTIONAL).
>>>
>>> Marek
>>>
>>>
>>> On 07/06/16 17:29, Rashmi Singh wrote:
>>>
>>> From the keycloak documentation and
>>> <https://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html>
>>> https://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html
>>>
>>> it is not very clear to me what the OPTIONAL setting for an execution
>>> mean.
>>>
>>> For example, when we have the following:
>>>
>>> Forms Subflow - ALTERNATIVE
>>>            Username/Password Form - REQUIRED
>>>            OTP Password Form - OPTIONAL
>>>
>>>
>>>
>>> When can it enter the Optional OTP form? Do we need to add some code
>>> (some condition ?) in the UsernamePasswordAuthentication Code, so it enters
>>> the optional OTP form authenticator? Or something else? I am not so clear
>>> about the concept of this optional field and how to enter it. Can someone
>>> please explain this in detail?
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing listkeycloak-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160608/d6bbd464/attachment.html 


More information about the keycloak-dev mailing list