Narrative

We would like to use Keycloak to make decisions within authentication flows, for example who is allowed to log in to a specific client and who is not. For instance, we may want for some clients users to use compulsorily OTP, but for other clients we may want to deny access based on User role. This works well for realms in which we don't have any connected identity providers.

However, our users are mainly from external Identity Providers. The problem for now is that authentication flows are not fully applied when logging in via an identity provider. Any action (i.e. otp, deny access) in Authentication flow is not executed after Identity Provider User log in.

As of now, when login with IDP, Keycloak/RHBK delegates the authentication to the 3rd-party IDP and there should not be an assumption that authentication should return back to the "browser" flow and continue from there. We also have post-broker login flow.
However, using the "Post Broker" authentication flow is out of the question and not acceptable for our use-case. We need to use client-specific flows to meet our requirements, since the Client MUST decide about the authentication flow, NOT the Identity Provider.

Value Proposition

• Enhanced authentication flows should also work with brokered IdP
• Unlock clients specific requirements for authentication flows with Identity Brokering use-cases

Goals

• Ability for Users from external Identity Providers to be able to execute desired Authentication flow after Identity Provider login.

Implementation note

• References to existing issues/discussions: 
  -> https://github.com/keycloak/keycloak/issues/10250
  -> https://github.com/keycloak/keycloak/pull/12891
  -> https://github.com/keycloak/keycloak/discussions/13743