[keycloak-user] Alternative client-cert authentication

Nalyvayko, Peter pnalyvayko at agi.com
Wed Jul 25 13:46:18 EDT 2018 

Nikola,

It seems your authentication config has two flows at the same level, whereas in my case I have a top level flow with x509 step and the browser forms at the same level.

-----Original Message-----
From: Nikola Malenic <nikola.malenic at netsetglobal.rs> 
Sent: Wednesday, July 25, 2018 3:49 AM
To: Nalyvayko, Peter <pnalyvayko at agi.com>; keycloak-user at lists.jboss.org
Subject: RE: [keycloak-user] Alternative client-cert authentication

Thank you very much. It seems it works. At least, I am getting form for user-pass, since I didn't configure certificates. 

Can you tell what I have done wrong? This is my configuration:

Auth type                  			Requirement
Type
Flow1                   			ALTERNATIVE
Flow
  ==>  X509/Validate Username Form   	ALTERNATIVE
(execution step, Flow1)
Flow2					ALTERNATIVE
Flow
  ==> Username Password Form		REQUIRED
(sub-flow, Flow2)

-----Original Message-----
From: Nalyvayko, Peter [mailto:pnalyvayko at agi.com]
Sent: Tuesday, July 24, 2018 7:03 PM
To: Nikola Malenic <nikola.malenic at netsetglobal.rs>; keycloak-user at lists.jboss.org
Subject: RE: [keycloak-user] Alternative client-cert authentication

Hi Nikola,

Try this:

Auth type                  Requirement
Type
X509                        ALTERNATIVE            Flow
  ==>  X509/Validate Username Form    ALTERNATIVE     (execution step, X509
flow)
  ==> Browser Forms                                 ALTERNATIVE
(sub-flow, X509 flow)
         ====> Username Password Form    REQUIRED        (execution step,
Browser Forms flow)

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org
<keycloak-user-bounces at lists.jboss.org> On Behalf Of Nikola Malenic
Sent: Tuesday, July 24, 2018 9:22 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Alternative client-cert authentication

I am configuring browser flow and would like to provide users with certificates with capability to login immediately.

Users which don't have (send) certificate should be able to login with
username+password (form would be presented to them).

 

I configured two ALTERNATIVE subflows inside browser flow. First subflow has X509/Validate Username Form execution as ALTERNATIVE and second flow has Username Password Form as REQUIRED.

 

The problem is that when I access admin console I am not shown form to enter username and password since I didn't send certificate. I get this error:
"Invalid username or password.".

It seems that the second flow is automatically executed, but since I didn't send username and password it finishes unsuccessfully.

Do you have any idea how to configure this.

 

Many thanks,

Nikola

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list