Hello.
I have a custom identity provider that uses OAuth2 to authenticate in some external service. The provider is rather trivial, and authentication works without any problems.
I need to implement the following additional scenario:
- A user can have multiple accounts in the external service
- Only accounts using some predefined email domain are allowed
- If a user tries to authenticate with some other account, the authorization step must be replayed and an additional parameter must be passed to the external service’s auth endpoint to force account selection.
- The user’s account must be created only after authenticating with the allowed domain.
I partially succeeded in this by redirectiing to external auth endpoint from idp authorization callback using idp enpoint URL as “redirect_url”. It works, except I have “Page expired” keycloak page after successful second authorization (and the link “proceed with authorisation” successfully finishes the process).
So it looks like I have to update something in an authorization session before doing external redirect, like clientSessionCode or something like that.
So the question is, what is the right approach to repeat idp authorization step properly and keep the session consistent to get rid of the “Page expired” error. I’ve also tried to use an additional authenticator and use resetFlow, but it looks it’s even more complicated.
Thanks!