Need advice on custom authenticator


I’ve trying to wrap up a custom authenticator that presents a registration form to the user, just after he/she is authenticated with a certain 3rd party IDP. This works, kind of, but now that I’m trying to harden the implementation, making it ready for prime time, it’s just not presenting itself as a good solution at all.

The reason for this is that I run into the issue of what happens when I prematurely exit the “first broker” login flow, and then come back a second time. My registration form won’t come into play at all, since it’s no longer the “first broker login”, obviously.

Now I’m grasping for a way to handle all these cases, but I fall short of ideas. So right now, I’m thinking that the whole idea of attaching this custom SPI authenticator to the ”first broker login" flow, is a flawed idea altogether.

One of the things I’m asking myself is, should I be doing this registration flow outside of the authorization flow in Keycloak, in application land instead?

And the other thing, obviously: is there better more robust way of attacking this kind of thing within Keycloak?

Thanks for reading to the end!

I’m going on vacation tomorrow, so I might not respond until in a month or so.

Have a nice summer, regardless :sun_with_face:

Your issue shows resemblances with this:
I am not sure if they released a proper fix or workaround for it but it seems reasonable to go for adding control layer to your custom authenticator something like:

 public void authenticate(AuthenticationFlowContext context) {
        // Custom logic to check for incomplete registration
        UserModel user = context.getUser();
        if (isIncompleteProfile(user)) {
            // Redirect to the point where the user left off
        } else {
            // Proceed with normal flow

    private boolean isIncompleteProfile(UserModel user) {
        // Check for incomplete profile attributes
1 Like

Hey, thanks for your reply. What you are writing makes sense, and I think what I’m looking for is how to re-trigger such an authenticator for subsequent logins, not just the first login.

Should I perhaps create another authorization flow, add my custom authenticator to it and then register it like so? :point_down:

That does look like it could work. What do you think?

EDIT: maybe my custom authenticator should only be registered as part of a “Post login flow”?

Hi @dwickstrom,
I don’t know if it is doable from the administration console but I’m curious :face_with_raised_eyebrow: I’ll be following this topic.
Please let me know if you find a solution.