Good Morning all,
I was hoping to canvas the opinion of the wider community here.
I would like to add some validation steps to the client authentication flow and I’m struggling to work out the best way to achieve this.
Currently, I have created a custom client authenticator which sits at the top of the flow and does the required validation before either aborting the flow or marking itself as attempt to allow it to progress through to the real client authenticators (the default ootb client authenticators).
Now, there are several issues with this.
Creating my “validator” as a client authenticator makes this available as a client auth method under the clients “Credentials” tab in the UI. Its not really an authenticator and would/should never be selected as a client auth method. With that in mind, this doesnt seem a very good choice. Also marking an authenticator as “attempted” when it has infact passed its validation steps doesnt seem quite right either.
I see that when setting up a client authentication flow you can add a subflow with type “Generic” which seems to allow me to add generic authenticators. I supposed I could go down that route and create an authenticator rather than a client authenticator but…
I cant see a way to structure the flow in a suitable way without being able to add a subflow which will allow me to add client authenticators. Ideally something like this:
- Validator subflow (required)
- Client Validator (authenticator, required)
- Client Auth subflow (required)
- Client id secret (alternative)
- Client JWT (alternative)
- Client JWT Secret (Alternative)
- Client x509 (Alternative)
Using a flow like this would allow me to run my validation in the authenticator and then the client auth. Both of which would have to be successful for the flow to be successful.
Problem is, subflow doesnt seem to support client authentication as a type and therefor i dont have access to the client authenticators in a subflow.
Does anyone have any recommendations on how this might be achieved? Am I completely barking up the wrong tree?
The reason i went with the “validator” authenticator is because i wanted a single point i could configure validation options. I toyed with the idea of just extending each of the ootb authenticators with a call to my validation and setting an auth note to say its been done and maybe holding validation config somewhere more central like a component entry perhaps.
Keycloak 26.0.8