Reset authentication flow within custom required action

jens1 · May 31, 2021, 4:12pm

Hi all, I need your advice for the following;

I have a custom authenticator that is executed in each browser flow. This authenticator logic uses some user attributes.
In order to populate these attributes, I have a custom required action that the user has to complete once upon registration. Once the required action is completed, the custom authenticator should be executed.

My question is; can I reset the authentication flow after completion of the required action? Prefarably without a re-enter of the user’s credentials.

Thanks in advance,
jens

vogget · June 10, 2021, 8:58pm

I’m trying the same thing: trying to go through the authentication flow when completing a required action.

Something like this has gotten me close (note, this code is called inside a custom required action):

context.getAuthenticationSession().getParentSession().restartSession(context.getRealm());

However the problem is that this call to #restartSession forces the user to log in again, which is what I’m trying to avoid.

I want go through the whole authentication flow, so I guess I want to invalidate the session, but I also want to retain the credentials to do all that without having to log in again.

jens1 · June 12, 2021, 2:31pm

I found a solution: rewriting the redirect URI, so the login flow gets processed again.
For now, my solution only works with OIDC:

private String getLoginUrlFromRequiredActionContext(RequiredActionContext context) {
	String basePath = "/realms/" + context.getRealm().getName() + "/protocol/" + context.getAuthenticationSession().getProtocol() + "/auth";
	try {
		return new URIBuilder(basePath)
				.addParameter(OIDCLoginProtocol.CLIENT_ID_PARAM, context.getAuthenticationSession().getClient().getClientId())
				.addParameter(OIDCLoginProtocol.RESPONSE_TYPE_PARAM, context.getAuthenticationSession().getClientNote(OIDCLoginProtocol.RESPONSE_TYPE_PARAM))
				.addParameter(OIDCLoginProtocol.SCOPE_PARAM, context.getAuthenticationSession().getClientNote(OIDCLoginProtocol.SCOPE_PARAM))
				.addParameter(OIDCLoginProtocol.REDIRECT_URI_PARAM, context.getAuthenticationSession().getClientNote(OIDCLoginProtocol.REDIRECT_URI_PARAM))
				.toString();
	} catch (URISyntaxException e) {
		throw new RuntimeException(e);
	}
}

Then, wherever you call context.success() in your required action, also reset the redirect URI like this:

context.success();
context.getAuthenticationSession().setRedirectUri(getLoginUrlFromRequiredActionContext(context));

Because there already is an ongoing session, the cookie authenticator will login the user without entering his password. The other authenticators configured in your browser flow will then be executed.

Any tips on how to improve the getLoginUrlFromRequiredActionContext method are welcome.

vogget · June 16, 2021, 11:40am

That solution does indeed work well, thanks!

Topic		Replies	Views
How to redirect user to login on successful completion of a custom required action? Getting advice authentication	3	1041	September 23, 2022
How to enable/disable a required action for a specific client in a realm Getting advice admin-console , authentication , oidc	3	1556	November 17, 2022
Re-run authenticator flow without logging out Getting advice	0	308	July 27, 2021
How to set custom redirect_uri for Credential Reset Action Token Getting advice authentication	0	357	February 24, 2021
Get session login action URL in my custom Authenticator Extending the server authentication	0	132	March 4, 2024

Reset authentication flow within custom required action

Related Topics