Run custom authenticator after brokered login in custom flow

Hi all,

Is there a way to configure authenticator executions to run after the IDP brokering completes?

The only way I have figured out how to do this is to create a custom post-broker-login flow, and set it as the IDP’s post-broker-login flow.

While this is technically possible, it means I have to write all of my custom authenticators in such a way that they are able to run for every login from this IDP.

For example, I have a custom authenticator that I only want to run after brokered logins for a specific client. The current approach I have taken is to make the authenticator client-aware, and perform a no-op if the client in the current authentication session doesn’t match the one this is configured for.

Ideally, I would like to create an entire custom browser flow for this client, but i’m unable get my authenticator to run from that flow, as the IDP redirect takes precedence, and after it completes i’m never brought back to my subsequent required authenticators after the redirect in that flow.

Current approach:
client: configured browser flow to redirect to an IDP
custom authenticator: configured in the IDP’s post-login flow

Desired approach:
client: custom browser flow with IDP redirect and custom authenticator
custom authenticator: configured in this flow

Has anyone else had this use case? If so, were you able to implement my desired approach?


Hi Everybody,

I have the same question of trotman23.

My use case
I need to find a way that after performing the authentication through the broker it happens, to be able to validate the email to a webservice and, depending on that validation, ask the user for extra information and add this information later in the Clamis of the Keycloak token.

trotman23 Could you share your post-broker login flow? I think it can work for my use case

Best regards,