Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-19398

Password Form not available as an alternative login method for LDAP users

    XMLWordPrintable

Details

    • Bug
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • 14.0.0
    • Backlog
    • LDAP
    • Hide

      Create the following authentication flow:

      • REQUIRED: Username Form
      • REQUIRED: Flow
        • ALTERNATIVE: Password Form
        • ALTERNATIVE: WebAuthn Authenticator

      Create an internal and an LDAP user, equip both of them with a WebAuthn authenticator device. The internal user will be able to choose both authentication methods, while the LDAP user will only be able to use WebAuthn.

      Show
      Create the following authentication flow: REQUIRED: Username Form REQUIRED: Flow ALTERNATIVE: Password Form ALTERNATIVE: WebAuthn Authenticator Create an internal and an LDAP user, equip both of them with a WebAuthn authenticator device. The internal user will be able to choose both authentication methods, while the LDAP user will only be able to use WebAuthn.
    • NEW
    • NEW

    Description

      Similar to https://issues.redhat.com/browse/KEYCLOAK-15440, but still affects newer versions (tested on 14.0.0). When using a flow containing a Username Form and a sub-flow with multiple authentication methods (one of them being Password Form), Password Form is not offered as an alternative. When it is set as required, the form appears correctly and logging in works. It seems AuthenticationSelectionResolver does not consider the method applicable, but uses it anyway when it has no choice.

      DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-20) check execution: 'auth-password-form', requirement: 'ALTERNATIVE'
      {{ DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-20) authenticator: auth-password-form}}
      {{ DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-20) Going through the flow 'Authentication Flow' for adding executions}}
      {{ DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-20) Selections when trying execution 'auth-password-form' : [ authSelection - webauthn-authenticator-passwordless]}}
      {{ DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-20) invoke authenticator.authenticate: webauthn-authenticator-passwordless}}

      Attachments

        Activity

          People

            Unassigned Unassigned
            max_privatevoid Max Sennenheizer (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated: