Status: Closed (View Workflow)
Affects Version/s: None
Fix Version/s: 8.0.2
Sprint:Keycloak Sprint 34
Manually re-configure the "First Broker Login" flow. Basically the REQUIRED and ALTERNATIVE items can't be at same level now, so there is a need to create the additional REQUIRED subflow and move the ALTERNATIVE items into it.
So for example, instead of the configuration like:
There is a need to have this:
For the inspiration, you can create new Realm in Keycloak 8.0 and take a look how the default FirstBrokerLogin flow looks in that new realm. So you need to change it to the same/similar configuration in existing realms.Manually re-configure the "First Broker Login" flow. Basically the REQUIRED and ALTERNATIVE items can't be at same level now, so there is a need to create the additional REQUIRED subflow and move the ALTERNATIVE items into it. So for example, instead of the configuration like: - Review Profile - REQUIRED - Create Userif Unique - ALTERNATIVE - Handle existing account - ALTERNATIVE ... There is a need to have this: - Review Profile REQUIRED - Create user or autolink subflow - REQUIRED - Create User if Unique ALTERNATIVE - Handle existing account ALTERNATIVE ... For the inspiration, you can create new Realm in Keycloak 8.0 and take a look how the default FirstBrokerLogin flow looks in that new realm. So you need to change it to the same/similar configuration in existing realms.
Git Pull Request:
Docs QE Status:NEW
Multifactor authentication prototype has broken the behavior of the default first broke login flow. see: https://issues.jboss.org/browse/KEYCLOAK-11745
The first broke login flow looked as followed in the Keycloak version older than 8.0 :
- Review Profile - REQUIRED
- Create User if Unique - ALTERNATIVE
- Handle Existing Account - ALTERNATIVE
- sub things ....
The DefaultAuthenticationFlow.java has now following code snippet (line 280):
This implies that a user is never created (if unique) and thus not added to the authSession and therefore this results in an error page with invalid_user_credentials
Possible fix of this JIRA:
- Create new class like MigrateTo9_0_0 . Register that class in MigrationModelManager.
- In that class, we should have migration of the flows done in a way that if there is any authenticationFlow with the ALTERNATIVE elements configured after REQUIRED elements like this:
we will re-configure it by creating separate subflow and move ALTERNATIVE elements to that subflow. So after migration, it will look like this:
- In case that flow is mixing REQUIRED and ALTERNATIVE at same level, but there are some more REQUIRED after alternatives, we won't do anything. For example like this:
In that case, we may just need to log WARNING that administrator should migrate the flows manually.
- Will be good to add new test to MigrationTest and ensure that "First Broker Login" flow looks as expected after the migration (There are not REQUIRED and ALTERNATIVE at the same level anymore). Bonus will be to trigger broker login during MigrationTest, but that could be lots of the work (as brokering will need to be setup etc in the MigrationTest). So hopefully manually doublecheck the flow content will be fine.
- Some new section to the migration documentation should be added. Especially the documentation should mention that REQUIRED and ALTERNATIVE can't be at same level anymore and administrator should change his authentication flow if he uses the setup like this. It is recommended to doublecheck that configuration of your authentication flows looks as expected and it is recommended to do some testing if behaviour is as expected.
- Hint: for the inspiration, take a look at class DefaultAuthenticationFlows and check the history of that class and how the "First Broker Login" flow was re-configured in the commit for adding authentication prototype - commit for