"unkown flow provider type" with multiple IDPs on a broker setup

Ollowain · March 27, 2024, 12:07pm

Hello,

we have Keycloak 24 setup as a broker in our external DMZ to link to our internal Keycloak via SAML.

We configured the identity provider on the broker and the client on the internal keycloak and the authenticaiton went fine.

We then wanted to add a second IDP to the broker, so that users could choose with which IDP they wanted to authenticate.

The second IDP was also connected via sAML.

However whenerver we try to access the second IDP we get an error:

Failed authentication: org.keycloak.authentication.AuthenticationFlowException: Unknown flow provider type

The IDPs are accessed via a very simple Basic Authentication Flow, containing 2 IDP-Redirector steps, marked as “Alternative”

Is our setup faulty or is this a bug in keycloak 24?

What else can I provide to help with a diagnosis?

Regards
Ollowain

dasniko · March 27, 2024, 5:48pm

I guess it’s this bug, which is fixed in 24.0.2:

github.com/keycloak/keycloak

Custom Browser Flow not working anymore

opened 12:03PM - 05 Mar 24 UTC

closed 09:04AM - 07 Mar 24 UTC

sventorben

kind/bug area/admin/ui team/ui release/25.0.0 release/24.0.2

### Before reporting an issue - [X] I have read and understood the above terms …for submitting issues, and I understand that my issue may be closed without action if I do not follow them. ### Area core ### Describe the bug Newly created authentication flows do not work but throw exception and show error message in logs. ### Version 24.0.0 ### Regression - [X] The issue is a regression ### Expected behavior Flow shows Login Form with username and password. ### Actual behavior Shows error: ![image](https://github.com/keycloak/keycloak/assets/12183470/89a0a576-3008-487a-b84c-1e68ceb5a4fb) with stacktrace in logs: ``` 2024-03-05 11:58:02,597 WARN [org.keycloak.services] (executor-thread-16) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException: Unknown flow provider type at org.keycloak.authentication.AuthenticationProcessor.createFlowExecution(AuthenticationProcessor.java:879) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1026) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:884) at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:152) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:337) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:202) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:113) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$quarkusrestinvoker$buildGet_4b690b27439f19dd29733dc5fd4004f24de0adb6.invoke(Unknown Source) at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29) at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141) at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147) at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582) at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538) at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29) at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:840) ``` `flow.getProviderId()` seems to return an empty string (""). ### How to Reproduce? - Setup a fresh Keycloak instance - Create a new Authentication flow of type "Basic flow" - Add a single authenticator "Username Password Form" - Bind the flow to the user flow - Try to login into a client, eg. admin console ### Anything else? _No response_

Don’t know if it also fixes existing flows, perhaps you’ll have to recreate your existing flow.

WRT to your description of your use case: I don’t understand why you would use two idp-redirectors as alternatives. If the idp-redirectors are the default ootb ones, that doesn’t make sense to me.
What exacty do you want to achieve?

Ollowain · March 28, 2024, 8:37am

Hi,

thank you for the information.
It seems that this is exactly what is causing our problems.

As to you question on what we are trying to do.
As of this moment we are merely playing around with keycloak and its possibilities.

Let’s say I have three different IDPs for my customers.
And for specific clients I want only 2 of them visible on the broker screen.

Then I could go and create an authflow that has two IDP-Redirector-Steps, with a specific IDP set for each one? Would that work?

Regards,
Ollowain

Ollowain · March 28, 2024, 9:12am

We have updated to 24.0.2

When I use an auth flow with a single IDP-Redirector and I DONT specify which IDP it should use, I still get an Authentication Exception in the logs.
Though not the same as before, it doesnt say what exactly went wrong…

However when I specify an IDP to use in the step it works as expected.

I had hoped by leaving the default IDP field empty, keycloak would show seperate buttons to login with the IDP of you choice?

Is this still a technical problem or is my configuration wrong?

UPDATE:
I can get it to work if I include a username/password steop in the auth flow.
Then keycloak shows the standard login form and below that the 2 IDP-Login buttons.
But we want to see only the buttons for the IDPs.
Is that possible?

Regards,

Ollowain

dasniko · March 28, 2024, 12:19pm

The idp redirector authenticator is not about giving a choice to the user, it’s only about redirecting upon certain conditions (either query param or default config). If no condition is met, it does nothing.

As you already found out, the user has the choice of the configured IdP’s on the username-/username-password form itself. There’s no option to “just display the IdP options” ootb. Easiest approach would be to adjust the login.ftl in your custom theme to not show the form, but only the idp-buttons.

Topic		Replies	Views
IDP initiated flow with Azure SAML Configuring the server authentication , identity-brokering , saml	6	115	April 3, 2024
Possible to redirect browser authentication flow after identity provider error? Getting advice authentication , identity-brokering	0	416	November 25, 2022
Identity brokering - mismatching configurations between 2 brokered IDPs Configuring the server identity-brokering , saml	1	445	December 6, 2022
Is IDP initiated flow broken? Getting advice saml	4	1713	February 3, 2022
Bypass Keycloak login form and use directly the IDP login?	9	5232	January 26, 2023

"unkown flow provider type" with multiple IDPs on a broker setup

Related Topics