[FYI running Keycloak 12.0.4 - I know it is old, we will be upgrading soon]
I have a scenario where I have local users and I have users coming in from an external IDP (configured via Identity Providers and with a custom extension of OIDCIdentityProvider). All of this works great. The issue is, an IDP user can go to the normal login screen, hit “forgot password” and reset their credentials. Now they have two ways to login, one via the IDP and directly via the login page with the credentials they just set.
We don’t want to allow this, so after investigating options I have implemented a conditional authenticator that is basically the opposite of ConditionalRoleAuthenticator. It checks the user for a given role, and if the user has the role, then we return false for the condition. In the IDP Mapper config we give everyone a hardcoded role, and that’s the role we check for. Very straightforward.
I copied and modified the Reset Credentials flow to use the conditional. Now, when the user clicks on Forgot Password on the login screen and enters their email address, if the user doesn’t have the role, the user gets a message about they should receive an email with a link, and the email does get sent and works as expected. However, if the user has the role, instead of failing, or saying the user should receive an email but not receiving an email, the user is automatically logged into the application, with no prompt for password or anything! It must have to do with the flow configuration, but I have no idea how this is happening. I am attaching a picture of the flow configuration. Perhaps someone can shed some light on how reset credentials has become login in this case.
