Need some help understanding authenticators and required actins. Shouldn’t Keycloak display a required action for an authenticator before moving to another authenticator in my flow? Let’s say I have authenticator A and authenticator B. They are in the flow after the password form. All are set to required. Here’s what happens:
Authenticator A returns false for isConfiguredFor(). Keycloak then calls A.getRequiredActions() followed by A.setRequiredActions(). That makes sense.
Next the A.authenticate() is called. Shouldn’t that not be called yet because the required action hasn’t executed? I am calling context.success() in A.authenticate() because I there is nothing to authenticate. A is really just a placeholder to cause the required action to occur.
The next thing that happens is authenticator B is called. B.authenticate calls context.challenge() and then B.action is called and if the user enters the right code, the authentication completes.
Now, after authenticator B is complete, the required action from A is finally displayed. How do I get the required action displayed in the right place?
I have run and built the “secret question” example and based my code on that. It seems to work as I expected - the action to set up the question is displayed and authenticate is never called.
Here’s my flow as described in this question. I intend to add another auth check into the flow later on the same level as SMS. Either SMS or OTP will be presented to the user based on his or her choice from the “Select 2FA Authentication Type” authenticator.