Authentication Flow Override - forcing execution step for some clients


I am writing a system in which we allow the user to choose a branch he or she wants to log into. To achieve this, we created a custom Authenticator Execution step to extend Browser Flow. This execution step creates a form with a list of available branches and after the user picks one it adds branch UUID to userSessionNote in authenticationSession. We also created a client scope that maps branch UUID from userSessionNote to JWT token claim. This way all web apps using this custom flow can get access_token with branch UUID and then use that value to display branch and send it to different back end applications. This works great, but we stumbled upon this problem:

We want our web apps to use SSO feature. When the user selects a branch on the first logging in, we expect this selection to be preserved for the following ones. Currently, that is the case, but we also have web apps that do not require branch selection, so for their Keycloak clients we don’t override browser authentication flow. When the user logs in to a web app that does not require branch selection and then visits a web app that does require it, the branch selection step is skipped, because the authentication cookie will let the user in. My question is: Is there a simple way to force our custom branch select execution step in this situation?

1 Like