[keycloak-user] Possibility to set new Provider in authentication flow for non-unique usernames

Dominik Guhr pinguwien at gmail.com
Wed Jan 24 03:27:48 EST 2018 

Hi everyone,

I'm implementing an authentication SPI execution on top of the "normal" 
username/password form of kc 3.4.3.Final. -> 
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/browser/UsernamePasswordForm.java

Sadly, usernames are not unique atm, so I need to change the execution, 
so that it doesn't stop with "invalid credentials" for a user who was 
found in one Provider.

Instead of giving the "invalid credentials"-error, I want my execution 
to first check all other providers for the same username, and then check 
the credentials against all matches. And just in case of no credentials 
matching, it should fail, or login a new session for this user when one 
is found in any of my (3) Providers, which are added by user federation 
feature (2 ADs, one by a custom user storage SPI).

So I drilled it down to the method validatePassword(...) in 
AbstractUsernameFormAuthenticator.java -> 
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthenticator.java 
line 191, which I want to change accordingly. Sadly, I can't find a 
method to get all Providers of the realm and check accordingly. The code 
I want to change is:

if (password != null && !password.isEmpty() && 
context.getSession().userCredentialManager().isValid(context.getRealm(), 
user, credentials)) {
             return true;
         } else {...}

instead of just checking isValid() for one provider, which is what this 
does atm, I want to check all Providers. Like this pseudocode:

if (password != null && !password.isEmpty() && 
context.getSession().userCredentialManager().isValid(context.getRealm(), 
user, credentials)) {
             boolean isValid = false;
	    List<Provider> realmProviders = context.getAllProviders();
	    for(Provider provider : realmProviders){
	    	isValid = provider.isValid(...);
	    }
             return isValid;
         } else {...}
Could anyone perhaps give me a hint in how to achieve this? I haven't 
found a method yet to get all Providers and check for isValid in any of 
the given ones.

Best regards,
Dominik

p.s. I created a stackoverflow question here: 
https://stackoverflow.com/questions/48399622/keycloak-check-password-in-more-than-one-identity-provider 
feel free to comment/answer there :)

More information about the keycloak-user mailing list