my use case is to follow up several browser authentication methods (Cookie, Username/Password, IdP Redirect) with one common execution. That execution enriches the authenticated user with certain attributes before the ID token is sent to the client. It could also be a MFA execution, or any other functionality that should be carried out afterwards.
I tried to do so by creating a required parent step that included all alternative authentication executions, and followed this parent up with another required step which included my custom execution, which seemed to work well for cookie and user/pass authentication. The custom execution never triggered for IdP redirection however.
That seems not very intuitive to me and I’d like to understand why. Going into every single configured IdP and add a post-login flow seems rather hacky to me, because I am not trying to do anything IdP specific.
Hmmm, I will try to rephrase my question in case it was unclear:
I would like to follow up all successful browser authentication methods (cookie, credentials, IdP redirect, …) with a certain action. In this context, is it somehow possible to follow up the IdP Redirect with an action, or does it always end the browser authentication flow? I do not want to manually set every single IdP to a certain post-login flow if I can avoid it.
I am not scared of implementing a provider if that helps.
With the redirect to the external IdP, the user exits the browser flow. There’s AFAIK no way to continue this flow after returning from the IdP. As you already found out, the first broker login / post login flows are the only ones being executed.
I was hoping there was maybe a means to track the authentication process of a user who temporarily leaves our domain for the IdP via state or nonce, and follow up the flow in such a way. I don’t know if that makes sense?
But I will use post-login flows for now as this seems to be the recommended way.