opened 09:11PM - 16 Feb 25 UTC
kind/bug
status/triage
area/identity-brokering
team/core-iam
### Before reporting an issue
- [x] I have read and understood the above terms … for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
### Area
identity-brokering
### Describe the bug
I've developed a custom Keycloak Authenticator (PinCodeVerificationAuthenticator) to add PIN code verification as a second factor during authentication. This authenticator is configured to check if the client ID is in a list of clients that require PIN verification, loaded from the authenticator's configuration.
The authenticator works perfectly when used in the Registration Flow. During registration, the configuration is loaded correctly, the client ID is checked, and the PIN verification form is presented as expected.
However, when I try to use the same PinCodeVerificationAuthenticator in the First Broker Login Flow (specifically for Google Social Login), I encounter a java.lang.NullPointerException. The logs clearly show that the AuthenticatorConfigModel is null within the authenticate() method of my custom authenticator in the Broker Login Flow context.
```
public class PinCodeVerificationAuthenticator implements Authenticator {
@Override
public void authenticate(AuthenticationFlowContext context) {
AuthenticatorConfigModel configModel = context.getAuthenticatorConfig(); // configModel is NULL here in Broker Login Flow
log.info("Started pincode checking");
String clientId = context.getAuthenticationSession().getClient().getClientId();
log.info("Client id: " + clientId);
String clientsRequiringPinVerificationConfig =
configModel.getConfig().get("clientsRequiringPinVerification"); // NullPointerException here
// ... rest of the code ...
}
}
```
These are the logs in the first-broker-login
And these are the in registration flow
### Version
26.1.2
### Regression
- [ ] The issue is a regression
### Expected behavior
After successful Google authentication, the PinCodeVerificationAuthenticator should execute, load its configuration, check the client ID, and present the PIN verification form (verify-pincode.ftl) if the client is in the clientsRequiringPinVerification list.
### Actual behavior
A NullPointerException occurs in the authenticate() method of PinCodeVerificationAuthenticator because context.getAuthenticatorConfig() returns null in the First Broker Login Flow context. The PIN verification form is not shown, and authentication fails.
### How to Reproduce?
Keycloak running with Google Identity Provider configured.
Custom PinCodeVerificationAuthenticator.jar deployed.
Client application (e.g., account-console) in Keycloak.
verify-pincode.ftl template deployed.
Configure in Registration Flow (Verify Working - Optional, but helpful to show contrast):
In Keycloak Admin Console, add PinCodeVerificationAuthenticator to "Registration Flow".
Configure it with clientsRequiringPinVerification = account-console (or your client ID).
Set execution to "REQUIRED".
(Optional) Verify registration flow works and shows PIN form.
Configure in First Broker Login Flow (Reproduce Error):
In Keycloak Admin Console, add PinCodeVerificationAuthenticator to "First Broker Login Flow".
Crucially, configure it in "First Broker Login Flow" with clientsRequiringPinVerification = account-console.
Set execution to "REQUIRED".
Save "First Broker Login Flow".
Trigger Google Login:
Attempt Google login via account-console (or your test client).
Observe Error:
Authentication fails.
Check Keycloak server logs for NullPointerException and Authenticator Config Model: null in "first-broker-login" flow.
### Anything else?
_No response_
Can someone please help me with this issue
The authenticator works perfectly when used in the Registration Flow. During registration, the configuration is loaded correctly, the client ID is checked, and the PIN verification form is presented as expected.
However, when I try to use the same PinCodeVerificationAuthenticator in the First Broker Login Flow (specifically for Google Social Login), I encounter a java.lang.NullPointerException. The logs clearly show that the AuthenticatorConfigModel is null within the authenticate() method of my custom authenticator in the Broker Login Flow context.