Need advice on custom authenticator

Hello!

I’ve trying to wrap up a custom authenticator that presents a registration form to the user, just after he/she is authenticated with a certain 3rd party IDP. This works, kind of, but now that I’m trying to harden the implementation, making it ready for prime time, it’s just not presenting itself as a good solution at all.

The reason for this is that I run into the issue of what happens when I prematurely exit the “first broker” login flow, and then come back a second time. My registration form won’t come into play at all, since it’s no longer the “first broker login”, obviously.

Now I’m grasping for a way to handle all these cases, but I fall short of ideas. So right now, I’m thinking that the whole idea of attaching this custom SPI authenticator to the ”first broker login" flow, is a flawed idea altogether.

One of the things I’m asking myself is, should I be doing this registration flow outside of the authorization flow in Keycloak, in application land instead?

And the other thing, obviously: is there better more robust way of attacking this kind of thing within Keycloak?

Thanks for reading to the end!

I’m going on vacation tomorrow, so I might not respond until in a month or so.

Have a nice summer, regardless :sun_with_face:

Your issue shows resemblances with this: https://issues.redhat.com/browse/KEYCLOAK-8957
I am not sure if they released a proper fix or workaround for it but it seems reasonable to go for adding control layer to your custom authenticator something like:

 public void authenticate(AuthenticationFlowContext context) {
        // Custom logic to check for incomplete registration
        UserModel user = context.getUser();
        if (isIncompleteProfile(user)) {
            // Redirect to the point where the user left off
        } else {
            // Proceed with normal flow
        }
    }

    private boolean isIncompleteProfile(UserModel user) {
        // Check for incomplete profile attributes
    }
1 Like

Hey, thanks for your reply. What you are writing makes sense, and I think what I’m looking for is how to re-trigger such an authenticator for subsequent logins, not just the first login.

Should I perhaps create another authorization flow, add my custom authenticator to it and then register it like so? :point_down:

That does look like it could work. What do you think?

EDIT: maybe my custom authenticator should only be registered as part of a “Post login flow”?

Hi @dwickstrom,
I don’t know if it is doable from the administration console but I’m curious :face_with_raised_eyebrow: I’ll be following this topic.
Please let me know if you find a solution.

Hey, just to report back, my colleague tried the idea of running the custom authentication for not as a “first login flow”, but instead as a “Post login flow”, and it worked fine!

So that’s the lesson then I guess. I think I was fooled by the presence of a “first login” hook - it made me instantly tie myself to it. A little seductive, since it won’t let you replay it if the flow is interrupted, so in other words it’s just assumes that anything that happens after the identity was successfully provided from a 3rd party, shouldn’t affect the state of the user. Or, I don’t know, maybe it’s the wrong way of thinking about it.

Anyhow, glad to have found a solution to it.